Joe Sent Me. Multi-Factor Authentication for the Roaring 2020s.

Posted by Grant Mongardi on Thu, Dec 08, 2016 @ 10:31 AM

Tags: Security, AD, Centrify, cloud security

JoeSentMe02.jpg

In the days of Prohibition getting your Appletini was much more difficult than it ever should be. Foremost was the fact that they didn't exist. Other than that you would need to know where a speakeasy was, have the password ("Joe sent me"), and not be a copper (the law enforcement kind, not the British penny). In fact this was Multi-factor Authentication: something you know, something you have, and something you are (or are-not in this case). NAPC can help you revisit these roaring 20's but for the 2020s, and perhaps help you cut down on your Appletini consumption in the process.

Multi-factor Authentication or "MFA" is one of the buzz-words of 2016. Everyone is saying it but many people don't quite understand what the mechanism means to their security. It doesn't just mean that it protects against the brute-force attacks we've now had in our system logs for years, it also means more elaborate exploits can be mitigated

Take this years huge growth in spear-phishing attacks. Some of the largest, most security-concious corporations and government entities fell prey to spear-phishing attacks that involved advanced social engineering combined with compromised email accounts. For the attacker access to the victims email account means that they first analyze the communications in the victims inbox and craft an email interaction masquerading as someone the victim knows and convince them to do something that they wouldn't otherwise do, such as wiring money or sending proprietary information.

Add multi-factor to Windows logins

There are many things you can do to help avoid such a scenario, however MFA is probably the most effective. If all of your internal and privileged resources are protected by MFA then you've short-circuited the attacker at the outset. If the attacker doesn't have the 2nd factor for your email account login then they can't even get started. It doesn't matter if they have password, the 2nd factor prevents them from ever using it.

But attacks  aren't just limited to email. Cloud services are effected as well. Whether it's your office suite, your CRM suite, or even your accountiing solution, you really must protect all of your corporate services. Any little bit of information about your company or internal processes can give a smart attacker a leg-up on how to convince your employees into doing something that they probably wouldn't normally do.

Lastly there is what's inside your firewall: people. People have flaws, and mitigating those flaws can make your work an endless nightmare. Many of the things that an employee might do to ruin your weekend aren't necessarily intentional, but nonetheless can make you wish you could crush their skull with a rock. Ok, perhaps that's a bit extreme but the sentiment is similar. Preventing users from being their own worst enemy can extend inside your firewall as well. Adding MFA to servers, desktops, even network hardware will ensure that nobody inadvertantly has access to something that they shouldn't. Also, sharing their account information "for convenience" becomes useless. Also by adding MFA to a tunable privilege escalation mechanism you ensure that they are both the actual person that they say they are and are allowed to do what they are doing, and for everytime they do it. 

Contact NAPC today and we can help you navigate all of these issues and address any concerns you might have with reliable, secure solutions from Centrify. NAPC has the expertise in all of these technologies and experience in addressing all of your issues. Whether you have an audit pending or have had an "event" that you need kept confidential, NAPC can help.

Learn More about securing your Enterprise with MFA  

Zero is HUGE!!!!

Posted by Grant Mongardi on Wed, Nov 11, 2015 @ 02:00 PM

Tags: Security, AD, IT, cloud security

Zero Sign-On for Zero hassles. Simple solution to everyday frustration.

Wait? What did I just say?
Yes, it sounds like I've gone completely crazy, but the kind of zero I'm talking about is huge. For everyone!

I'm talking about Zero Sign-On. You might be saying "I've heard of Single Sign-On (SSO) Grant, but what the heck is Zero Sign-On?". Zero Sign-On is the idea that if you can identify the device being used to connect then you can assume that device belongs to and is controlled by someone you know, and as such can let them connect without actually having to type a password. It's physical security, much like a door key or pass-card is. If I know that your mobile phone or tablet is owned and controlled by you, then I should have no problem using that device as the unique identifier indicating that you are the one trying to connect. Better yet, if I know the device is controlled by both you and me, I can be very comfortable in asserting to anyone that I can control access of both the device and the end-user.

"So Grant, how does all of this work?". In short, by uniquely identifying and then "tagging" that device, be it a phone, tablet or even a netbook, then you can use that as a pass-key to getting into protected resources without having to type a password. The device uniquely identifies you as you, rather than a user/password combination. Not only can it not be "hacked" without the actual device, but it can't be easily "shared" like a user/password can.

"Yeah Grant, but what if someone steals it?". Well, with a proper service like Centrify's IaaS Cloud service for this then all of that should be taken care of. Centrify's offering lets the user register their own devices under their user account. In addition to using it for Zero Sign-On and changing forgotten passwords, it also lets them find the device on a map, lock it remotely, wipe it remotely, and even see what the battery charge level is. But more importantly it lets you, the IT or Security Administrator do important things like apply group policy to the device (like encrypting storage, screen-lock time, passcode length/complexity, etc), unenroll the device and disable Zero Sign-On, and lock or wipe the device.

Centrify Cloud lets you find your lost device, lock it, and even wipe it!

Finally, it let's you see and report on the device's activity and even see if it's been jail-broken and is being backed-up to the Cloud!

"So what about the user's laptop?". Well, if that user has a laptop capable of IWA then the user can use that for Single Sign-On, allowing them to access their services without typing their password again. Centrify DirectControl for Macs will enable IWA on Apple Macs and it's built into Windows, so they just login to the laptop and they're done.

So a few of the best "Zero"s are: Zero support, Zero audit findings, and Zero shared credentials. And that all translates into infinitely better security and tighter controls over your valuable corporate resources.

For more information on Centrify Identity Service or other great products from Centrify just contact us at TheExperts@napc.com and we'll be happy to give you a full demo. We'll also be having a Webinar on Elegant 6 SAML and Centrify's Cloud service on November 19th, 2015 at 2:00 PM EST. Register here to join us for an hour!

 

Password Performance That Isn’t A Compromise

Posted by Grant Mongardi on Wed, Nov 04, 2015 @ 09:12 AM

Tags: Security, AD, cloud security, Password, SSO

So the question often arises of how can I have a secure password that I can remember and that meets the criteria of my policy? It comes up all of the time. Most systems place criteria on setting a new password to something like this:

  • must be at least 8 characters
  • must contain uppercase & lowercase characters
  • must contain a number
  • must contain a symbol

and often:

  • cannot contain the username
  • cannot contain consecutive duplicate character

Although there is some dissention as to whether or not all of these criteria are necessary, it certainly does help. It means you can't only have your dog's name or your daughter's birthdate as your password. But most people have a problem even creating passwords that meet the criteria, never mind remembering them.

I suggest thinking of the password differently. If you think of your password as a "pass-phrase" rather than a single word then you are much more likely to both remember it and to create one that is very secure. First you can think of a subject that you're connected with. For example let's say that you're a huge fan of computer games. Perhaps you might create a password like this:

It's a-me, Mari0! 

    or 

It's super effect1ve!

So those certainly meets our criteria, assuming your name isn't Mario. And hopefully you can remember it. What if you're a SciFi movie buff? How about these:

Han sh0t first.

I'll b3 back.

We're all standing n0w!

I'm afra1d, Dave.

I'm my 0wn best friend!

In any case, the idea is that you create passwords based upon a phrase that you can remember. You should utilize punctuation just as you would because that helps meet the requirement of special characters. And finally you replace a part or a character with a number or symbol until you've met the criteria required.  

Mind you, this isn't the perfect solution but it meets the criteria and is far more secure than an 8-character password that you can never remember (and then can't reuse). Using a password like this for 60 days far exceeds the security of a random string of 8 characters. A desktop PC utilizing a couple of GPUs can crack 3750 8-character passwords in the about the same time it takes to crack a single 10-character password. Add more characters and those numbers get even better. Most of the passwords above would take years to crack, if not decades.

Contact The Experts <theexperts@napc.com> for options to ensure better security with less work and better compliance across all of your services & websites! Single Sign-On and ZERO Sign-On for all of your corporate web services!

We can help- Active Directory

Posted by Rob Pelmas on Tue, Sep 17, 2013 @ 11:59 AM

Tags: AD, Active Directory, Centrify, Unix

I'd like to start a discussion regarding the many offerings we can provide to make your life easier, more productive, and more secure. One area we excel in and can help you out with is Active Directory Integration, Security and Auditing.


Active Directory is wildly popular in the enterprise, and with good reason. It's arguably one of the best products Microsoft has come out with. A single point of entry for new employees, permissions, and security, it's a great way to make sure you know who has access to systems, that password security meets a standard, allows users to be turned on and off centrally, and it 'just works'.


NAPC has partnered for years with Centrify, the leader in Non-Windows AD integration. We've been using them for Unix integration since they first came out with their world class solutions, and they just keep getting better. You probably know of us and them from your Xinet server. We also have been doing Mac desktop integration (Centrify leans on us for this expertise when they need implementation !). Check out our video on easy rollout of desktop macs to get a sense of what can be done, in addition to the basics-

http://www.youtube.com/watch?v=VHrvZiYEZaE


That's just the tip of the iceberg though. Centrify and NAPC can provide data-center wide services- helping implement AD integration across all your *nix systems. There's a very powerful suite of permissions tools included, so you not only get a stable central authentication structure, you also get an easy way to put 'like' servers into admin groups, and assign rights for users and groups to multiple servers simultaneously. This is tremendously efficient. They have the ability to apply sudo permissions as well in this way, all through an easy, intuitive interface.


On top of this, there's even a great story for Windows servers. Centrify gives reporting capabilities that AD itself doesn't. The suite includes much finer grained abilities to search for idle users, accounts, and machines. We've had people fail SOX audits, and been shown the tool in Centrify that  would have caught the exceptions beforehand. And with automated reporting, you can show the auditors you're trapping for this now, and there's no more examples of it. Talk about looking like a hero!


Another example of what can be done is ongoing auditing of systems. You can load a very lightweight client on any Unix or Windows machine that will actually record screen captures of a users actions. That way, if a system goes down, and an Admin or service provider can't remember exactly what they did, you can watch a video of them typing, mistyping, pushing buttons. This helps you from a SOX auditing standpoint for allowing remote providers in, but also allows you to understand exactly what was done that broke the system. This is hugely powerful, not only to speed up recovery, but also from a training perspective for your admins.


This just breaks the surface of what the tools are capable of. Please feel free to reach out and ask what else can be done, or if you have specific needs, or just feel like you could be doing more on the security and auditing front. Odds are, there's a solution that can address your needs, get you home on time, and sleeping soundly!


Flathead U Tutorial: Creating a New Bank in CreativeBanks 4

Posted by NAPC Marketing on Tue, May 07, 2013 @ 11:30 AM

Tags: Creative Banks, digital asset management, AD, Active Directory

CreativeBanks 4 Tutorial - Creating a New Bank from FlatheadU on Vimeo.

 

NAPC's CreativeBanks is used for user management for the website of your digital asset management deployment. It integrates with Active Directory, controls access for users, rotates passwords, and even manages branding. Greg Sposato takes the professor's podium at Flathead U to walk us through how to make your first bank in Creative Banks 4. Customizing the theme, adding uploaders, security models, and user notifications are a few steps covered; be sure to watch the video for the full guide.

_______________________________________________________________

 

Active Directory services in a heterogenous environment:

Posted by Rob Pelmas on Tue, Sep 27, 2011 @ 06:11 AM

Tags: Mac, OSX, SOX, Compliance, Security, Xinet, AD, Active Directory, Linux

Once in a while, we find a great tool that solves a big problem, quietly, effectively, and efficiently at an affordable price.

Enter Centrify, a tool that puts all your Linux, Mac and Unix  platforms under Active Directory services. It solves your SOX compliance, security, and auditing requirements, letting you manage and verify all your platforms with minimal effort.

For our customers who operate a Xinet production environment, it brings both the server and the desktops into the AD realm.

We’re aware of two approaches to implementing Centrify in Xinet domains.

One reduces your initial  license cost, but adds some complexity, reduces functionality and is unsupported by Centrify. We don't do this. It does save some upfront costs, and reduces the annual maintenance.

Obviously, we think that approach is deeply flawed.

We’ve built a robust practice around implementing Centrify as a stable, flexible and fully supported tool. Centrify sets a very high standard. Would that all software worked so well.