When $10 Billion companies fail at security, how can I succeed?

Posted by Grant Mongardi on Mon, May 08, 2017 @ 10:11 AM

Tags: Security, MFA, Phishing

CoinsMoney.png

This month it was reported that Google and Facebook were both victims of a phishing attack that netted the Lithuanian man perpetrating the scam in excess of 100 million dollars. So let's get this straight; two of the largest technology companies in the world, both of whom probably have some of your private data stored in their technology, fell victim to a phishing attack. These are companies that make 10s of billions of dollars every year in revenue. They have 10s of thousands of employees, a large portion of which work solely on the security of their products. So how on earth can your tiny IT department by comparison protect your small-to-medium sized business?

Training your employees to be aware of these things just isn't enough anymore. You must implement mechanisms that not only prevent this sort of social engineering, but do it in a way that allows your employees to continue to be productive and effective. Informing the employees at your company of the dangers of phishing scams is definitely valuable, but doing that and showing how the mechanisms that you've implemented help them prevent that ensures that every time they use your solution they'll be reminded of why. This helps ensure continued diligence on the part of those users. It's no longer just the "draconian IT overlords" making their lives more difficult, it becomes a story of how you helped them save their job.

By adding mechanisms such as multi-factor authentication, oath tokens, and mobile device management among other processes and procedures, you can prevent if not completely negate the likelihood of one of your employees falling prey to one of these phishing scams as these 2 technology giants did. Seriously, you can do this in a way that fits your budget and still lets your employees be productive and effective.

Whether your trying to prevent such a security nightmare or simply trying to ensure you pass an audit with a gold star, NAPC can help you choose exactly the solutions you need to make this all work. Contact NAPC today for a free consultation or demo of our offerings.

Joe Sent Me. Multi-Factor Authentication for the Roaring 2020s.

Posted by Grant Mongardi on Thu, Dec 08, 2016 @ 10:31 AM

Tags: Security, AD, Centrify, cloud security

JoeSentMe02.jpg

In the days of Prohibition getting your Appletini was much more difficult than it ever should be. Foremost was the fact that they didn't exist. Other than that you would need to know where a speakeasy was, have the password ("Joe sent me"), and not be a copper (the law enforcement kind, not the British penny). In fact this was Multi-factor Authentication: something you know, something you have, and something you are (or are-not in this case). NAPC can help you revisit these roaring 20's but for the 2020s, and perhaps help you cut down on your Appletini consumption in the process.

Multi-factor Authentication or "MFA" is one of the buzz-words of 2016. Everyone is saying it but many people don't quite understand what the mechanism means to their security. It doesn't just mean that it protects against the brute-force attacks we've now had in our system logs for years, it also means more elaborate exploits can be mitigated

Take this years huge growth in spear-phishing attacks. Some of the largest, most security-concious corporations and government entities fell prey to spear-phishing attacks that involved advanced social engineering combined with compromised email accounts. For the attacker access to the victims email account means that they first analyze the communications in the victims inbox and craft an email interaction masquerading as someone the victim knows and convince them to do something that they wouldn't otherwise do, such as wiring money or sending proprietary information.

Add multi-factor to Windows logins

There are many things you can do to help avoid such a scenario, however MFA is probably the most effective. If all of your internal and privileged resources are protected by MFA then you've short-circuited the attacker at the outset. If the attacker doesn't have the 2nd factor for your email account login then they can't even get started. It doesn't matter if they have password, the 2nd factor prevents them from ever using it.

But attacks  aren't just limited to email. Cloud services are effected as well. Whether it's your office suite, your CRM suite, or even your accountiing solution, you really must protect all of your corporate services. Any little bit of information about your company or internal processes can give a smart attacker a leg-up on how to convince your employees into doing something that they probably wouldn't normally do.

Lastly there is what's inside your firewall: people. People have flaws, and mitigating those flaws can make your work an endless nightmare. Many of the things that an employee might do to ruin your weekend aren't necessarily intentional, but nonetheless can make you wish you could crush their skull with a rock. Ok, perhaps that's a bit extreme but the sentiment is similar. Preventing users from being their own worst enemy can extend inside your firewall as well. Adding MFA to servers, desktops, even network hardware will ensure that nobody inadvertantly has access to something that they shouldn't. Also, sharing their account information "for convenience" becomes useless. Also by adding MFA to a tunable privilege escalation mechanism you ensure that they are both the actual person that they say they are and are allowed to do what they are doing, and for everytime they do it. 

Contact NAPC today and we can help you navigate all of these issues and address any concerns you might have with reliable, secure solutions from Centrify. NAPC has the expertise in all of these technologies and experience in addressing all of your issues. Whether you have an audit pending or have had an "event" that you need kept confidential, NAPC can help.

Learn More about securing your Enterprise with MFA  

Zero is HUGE!!!!

Posted by Grant Mongardi on Wed, Nov 11, 2015 @ 02:00 PM

Tags: Security, AD, IT, cloud security

Zero Sign-On for Zero hassles. Simple solution to everyday frustration.

Wait? What did I just say?
Yes, it sounds like I've gone completely crazy, but the kind of zero I'm talking about is huge. For everyone!

I'm talking about Zero Sign-On. You might be saying "I've heard of Single Sign-On (SSO) Grant, but what the heck is Zero Sign-On?". Zero Sign-On is the idea that if you can identify the device being used to connect then you can assume that device belongs to and is controlled by someone you know, and as such can let them connect without actually having to type a password. It's physical security, much like a door key or pass-card is. If I know that your mobile phone or tablet is owned and controlled by you, then I should have no problem using that device as the unique identifier indicating that you are the one trying to connect. Better yet, if I know the device is controlled by both you and me, I can be very comfortable in asserting to anyone that I can control access of both the device and the end-user.

"So Grant, how does all of this work?". In short, by uniquely identifying and then "tagging" that device, be it a phone, tablet or even a netbook, then you can use that as a pass-key to getting into protected resources without having to type a password. The device uniquely identifies you as you, rather than a user/password combination. Not only can it not be "hacked" without the actual device, but it can't be easily "shared" like a user/password can.

"Yeah Grant, but what if someone steals it?". Well, with a proper service like Centrify's IaaS Cloud service for this then all of that should be taken care of. Centrify's offering lets the user register their own devices under their user account. In addition to using it for Zero Sign-On and changing forgotten passwords, it also lets them find the device on a map, lock it remotely, wipe it remotely, and even see what the battery charge level is. But more importantly it lets you, the IT or Security Administrator do important things like apply group policy to the device (like encrypting storage, screen-lock time, passcode length/complexity, etc), unenroll the device and disable Zero Sign-On, and lock or wipe the device.

Centrify Cloud lets you find your lost device, lock it, and even wipe it!

Finally, it let's you see and report on the device's activity and even see if it's been jail-broken and is being backed-up to the Cloud!

"So what about the user's laptop?". Well, if that user has a laptop capable of IWA then the user can use that for Single Sign-On, allowing them to access their services without typing their password again. Centrify DirectControl for Macs will enable IWA on Apple Macs and it's built into Windows, so they just login to the laptop and they're done.

So a few of the best "Zero"s are: Zero support, Zero audit findings, and Zero shared credentials. And that all translates into infinitely better security and tighter controls over your valuable corporate resources.

For more information on Centrify Identity Service or other great products from Centrify just contact us at TheExperts@napc.com and we'll be happy to give you a full demo. We'll also be having a Webinar on Elegant 6 SAML and Centrify's Cloud service on November 19th, 2015 at 2:00 PM EST. Register here to join us for an hour!

 

Password Performance That Isn’t A Compromise

Posted by Grant Mongardi on Wed, Nov 04, 2015 @ 09:12 AM

Tags: Security, AD, cloud security, Password, SSO

So the question often arises of how can I have a secure password that I can remember and that meets the criteria of my policy? It comes up all of the time. Most systems place criteria on setting a new password to something like this:

  • must be at least 8 characters
  • must contain uppercase & lowercase characters
  • must contain a number
  • must contain a symbol

and often:

  • cannot contain the username
  • cannot contain consecutive duplicate character

Although there is some dissention as to whether or not all of these criteria are necessary, it certainly does help. It means you can't only have your dog's name or your daughter's birthdate as your password. But most people have a problem even creating passwords that meet the criteria, never mind remembering them.

I suggest thinking of the password differently. If you think of your password as a "pass-phrase" rather than a single word then you are much more likely to both remember it and to create one that is very secure. First you can think of a subject that you're connected with. For example let's say that you're a huge fan of computer games. Perhaps you might create a password like this:

It's a-me, Mari0! 

    or 

It's super effect1ve!

So those certainly meets our criteria, assuming your name isn't Mario. And hopefully you can remember it. What if you're a SciFi movie buff? How about these:

Han sh0t first.

I'll b3 back.

We're all standing n0w!

I'm afra1d, Dave.

I'm my 0wn best friend!

In any case, the idea is that you create passwords based upon a phrase that you can remember. You should utilize punctuation just as you would because that helps meet the requirement of special characters. And finally you replace a part or a character with a number or symbol until you've met the criteria required.  

Mind you, this isn't the perfect solution but it meets the criteria and is far more secure than an 8-character password that you can never remember (and then can't reuse). Using a password like this for 60 days far exceeds the security of a random string of 8 characters. A desktop PC utilizing a couple of GPUs can crack 3750 8-character passwords in the about the same time it takes to crack a single 10-character password. Add more characters and those numbers get even better. Most of the passwords above would take years to crack, if not decades.

Contact The Experts <theexperts@napc.com> for options to ensure better security with less work and better compliance across all of your services & websites! Single Sign-On and ZERO Sign-On for all of your corporate web services!

Active Directory services in a heterogenous environment:

Posted by Rob Pelmas on Tue, Sep 27, 2011 @ 06:11 AM

Tags: Mac, OSX, SOX, Compliance, Security, Xinet, AD, Active Directory, Linux

Once in a while, we find a great tool that solves a big problem, quietly, effectively, and efficiently at an affordable price.

Enter Centrify, a tool that puts all your Linux, Mac and Unix  platforms under Active Directory services. It solves your SOX compliance, security, and auditing requirements, letting you manage and verify all your platforms with minimal effort.

For our customers who operate a Xinet production environment, it brings both the server and the desktops into the AD realm.

We’re aware of two approaches to implementing Centrify in Xinet domains.

One reduces your initial  license cost, but adds some complexity, reduces functionality and is unsupported by Centrify. We don't do this. It does save some upfront costs, and reduces the annual maintenance.

Obviously, we think that approach is deeply flawed.

We’ve built a robust practice around implementing Centrify as a stable, flexible and fully supported tool. Centrify sets a very high standard. Would that all software worked so well.