Alex – Alex Velasquez

Will 2015 Be the Year the Password Died?

Alex — Tue, 03 Mar 2015 07:01:21 +0000

In an ancient Arabian fairy tale, the magic phrase “Open Sesame” granted Ali Baba access to a cave of stolen riches. Ali Baba learned the password when he overheard thieves using it. He was able to steal the thieves’ treasures, but his brother forgot the password and became trapped in the cave. It’s been hundreds of years since that story was written, and passwords are still being used to protect people’s valuables. Nevertheless, people today face the same problems as those fictional characters, namely stolen passwords and poor memories.

The Problems with Passwords

Many digital services call for using stronger, more complicated passwords. However, remembering several of these complex passwords is difficult, so people typically use simpler passwords or use the same one over and over again. These simple and repeated passwords are very ineffective security measures. This problem is not a small one. Verizon’s 2013 Data Breach Investigations Report stated that 76% of security breaches involved weak or stolen login credentials. To put that number into context, hackers were able to steal millions of passwords in 2014. Changing passwords after the fact doesn’t offer protection, as data is often stolen weeks before the breach is recognized. According to the 2014 Ponemon Cost of Cyber Crime Study, it takes companies about 45 days to handle the aftereffects of a cyber attack. These attacks have an average cost of $12.7 million.

Improving User Authentication

In light of these problems, IT experts are looking for new ways to enhance the security of a user’s accounts. Some experts even recommend eliminating passwords completely. However, their password-free solutions are extremely hard to implement, and therefore are unlikely to occur in the near future. The US National Strategy for Trusted Identities in Cyberspace (NSTIC) has a similar problem. This plan calls for the creation of one centralized, government-run system that manages user information for a wide array of services. However, the plan lacks widespread support, which is unsurprising given the recent revelations about the NSA. Similar proposals in other countries would likely be just as unpopular. The government is not the only one working on a solution to the problem of account security. An industry consortium is also developing a new approach. This consortium, which is called the Fast Identity Online (FIDO) Alliance, has a number of major IT companies on its list of members, including Google, PayPal, and Microsoft. The consortium has developed two new proposals for user authentication, Passwordless UX and Second Factor UX. Both proposals are built upon the concept of multi-factor authentication, an authentication scheme that involves the use of multiple forms of identification. Passwordless UX calls for getting rid of passwords entirely. Instead, people would use biometric indicators as the means for proving their identities. These indicators might include fingerprints, retina scans, voice analysis, and even the electrical activity of a person’s heart. Second Factor UX would require the use of a USB dongle, in addition to username and password. After logging in using the username and password, the user would be prompted to insert their authentication dongle into the USB port of the computer. The addition of the authentication dongle to the traditional username and password substantially increases the effort required to compromise an account, and strongly resists common phishing attacks. The consortium’s plans are relatively new, having only been announced in December 2014. However, the support of several key players in the IT industry makes them a promising alternative to contemporary means of user authentication.

How to Protect Accounts in the Present

While the FIDO Alliance’s industry-wide effort is still in the early stages, there are plenty of other ways to incorporate multi-factor authentication into a company’s IT strategy. This method is highly recommended by the majority of IT experts, and it can significantly boost the security of a company’s accounts. Companies should also promote the use of stronger passwords. Users should stop using obvious passwords and should not use the same password with multiple accounts. Since most people have trouble remembering their passwords, many experts recommend using a password manager. This tool can keep track of your passwords in one vault. Users can access the vault with a password, and from there, they can access any of their other accounts. People with password managers only have to keep track of one password, but don’t have to suffer the risks involved in using the same password for multiple accounts. Multi-factor authentication, password managers, and better password protection protocols are currently the best means for a company to improve the security of their accounts. As such, they should be strongly considered by all businesses, no matter how large or small they may be.

4 Steps for Surviving the Windows Server 2003 End of Support

Alex — Tue, 03 Mar 2015 07:01:21 +0000

Microsoft will end support for Windows Server 2003 on July 14, 2015. Without a supported server operating system, your company will be exposed to some serious security vulnerabilities. In order to properly prepare for this change, you need to understand the challenges surrounding the end of support for Windows Server 2003. Here are 4 steps you can take to overcome these challenges and successfully change your server operating system.

1. Recognize the Problem

The end of support for an operating system means that Microsoft will no longer provide security updates for it. Running an operating system after support ends is very risky. Outdated operating systems are susceptible to all sorts of remote attacks and malware. Additionally, even after problems are discovered, they won’t be addressed by Microsoft. This means unsupported operating systems remain permanently vulnerable.

2. Assess Your Infrastructure

This is an IT problem, so to solve it, you need to know your IT infrastructure. Make a list of all of your computers, and find out what operating system each one is using. Then figure out each computer’s workload. Microsoft recommends identifying which servers are mission-critical to your business, so that you can focus on upgrading those servers first. Non-essential assets can wait until the end of the process.

3. Find A New Server Operating System

Now that you know what your IT infrastructure looks like, you can determine which new server operating system will work best for you. The server operating systems that Microsoft currently provides are Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Some of these options may require you to purchase new hardware, while others will let you reuse the hardware that you have. Companies should have a new server operating system in place before the Windows Server 2003 end of support. They can also move services to the cloud in order to cut costs and reduce the reliance on physical infrastructure.

4. Make the Change

After selecting a new server operating system, companies can begin migration. Migration is the process of moving from one server operating system to the next. Migration can take several months, so companies should start as soon as possible. For help with migration, or any other concerns related to the end of support for Windows 2003, consult an IT service provider.

What You Need To Know About Anthem’s Security Breach

Alex — Wed, 11 Feb 2015 14:26:48 +0000

US health insurer Anthem Inc. announced on February 4, 2015, that it was the victim of a sophisticated cyber attack resulting in the theft of tens of millions of records. Hackers were able to break into a database that contained as many as 80 million records. These records contained personal information about current and former customers, as well as staff members. Even CEO Joseph Swedish’s data was stolen. This attack is one of the largest of all time, and the most significant within the healthcare industry. It affects several of Anthem’s subsidiaries and brands, including Anthem Blue Cross and Blue Shield, Empire Blue Cross and Blue Shield, Amerigroup, Healthlink, and Caremore. According to Anthem’s website , its affiliated companies serve nearly 69 million people. The company is the second largest health insurer in the US; one out of every nine Americans has healthcare coverage through one of Anthem’s affiliated plans. The Federal Bureau of Investigation is investigating the attack, which Anthem said was detected on January 29. In addition to informing the FBI, the company has also hired the cyber security firm Mandiant to assist in the investigation, evaluate the company’s computer system, and fix any other vulnerabilities. What Hackers Can Do With Your Stolen Data The hackers stole a large amount of information that can be used to identify, contact, and/or find Anthem’s customers, as well as the company’s former and current employees. The legal term for this type of information is personally identifiable information (PII). Among other things, PII includes names, birthdates, physical addresses, and Social Security numbers. Anthem stated that the hackers had “obtained personal information from [its] current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses, and employment information, including income data.” The company stressed that there was no evidence to suggest that credit card or medical information was taken. However, even without credit card numbers, hackers can still do a huge amount of damage with the stolen information. PII can be used to commit a number of crimes, including fraud and identity theft. Among other things, hackers can use the information to steal tax refunds, break into bank accounts, open new credit cards in the names of their victims, secure loans in the names of their victims, file fraudulent claims with health insurers, and receive medical treatment through the use of a stolen identity. The severity of these crimes has made the loss of such information far more dangerous than the loss of a credit card number. The theft of a credit card number can be fixed by canceling the card. Identity theft, however, creates problems that last a lifetime. According to a cyber security professional quoted by Reuters , the black market value of stolen health credentials is 10 to 20 times higher than that of stolen credit card numbers. Hackers are already using the Anthem breach as part of new efforts to steal information. These hackers, who are not believed to be the same ones who broke into Anthem’s database, are claiming to be representatives of Anthem and are sending out email messages with links to websites that ask for personal data. This is a good example of phishing, a hacking technique in which attackers try to trick their targets into revealing personal information. Hackers can make a lot of money from phishing, even if only a small percentage of recipients fall for the scam. Ways to Help Protect Your Company Anthem isn’t the only corporation to suffer from a recent cyber attack. In 2014 , hackers stole large amounts of data from several major organizations, including Home Depot, Staples, JP Morgan Chase, Sony, Community Health Services, and the US Postal Service. These incidents show that blindly following the reactive security practices of larger organizations can lead to trouble. Instead, small companies must take a proactive approach to cyber security. A key component in developing a proactive cyber security approach is education. Companies should learn about hacking techniques such as phishing, as well as how to spot fake emails and text messages. Most importantly, they should develop strong relationships with their IT service providers. IT service providers specialize in protecting companies from a variety of attacks. Many providers have earned data protection certifications and produce periodic reports proving that they comply with data security requirements. They can also provide insight into data backup, disaster recovery, encryption, user authentication, and more. A good disaster recovery program is especially important in light of the recent high-profile breaches. IT service providers can educate companies on the steps they should take to protect themselves and recover from these types of attacks. They can also suggest ways to strengthen or improve user authentication for local and remote access. User authentication methods such as multi-factor authentication can help prevent unauthorized access to an account, even if the unauthorized user has stolen information that could help them break into the account. A qualified IT specialist can help you find out about today’s threats to your company. Contact us to learn about the best ways to keep your data safe.

Visit site:
What You Need To Know About Anthem’s Security Breach

How to Minimize Risk from Lost Mobile Devices

Alex — Mon, 01 Dec 2014 11:08:51 +0000

A lost business phone or tablet can open your company up to a significant amount of risk. From competitors getting your proprietary information to poached clients, and even extravagant cell phone bills, as a business owner you need to make sure that these risks are all minimized. Here’s how:

Before your employees’ new phones leave the IT department, make sure your IT staff has loaded them up with some essential software. These essentials should include a disk encryption system that will keep the contents of the phone locked down and out of reach of anyone who happens to find the phone. They should also make sure to install a remote wiping program, and configure the phone to require a strong password to unlock.

Once the IT department is done setting up all the appropriate applications, you need to make sure that your employees understand the importance of mobile security. You should have a policy set up that employees who receive a company phone are familiar with and understand. This should cover things like what kind of passwords to use on mobile devices (stress that they should be no less thorough than those used on desktops), as well as the process for reporting a phone lost or stolen. Remind your employees that the sooner they report a phone as being lost or stolen, the more likely you are to either recover it or lock it down/remotely wipe it.

If a phone is actually lost or stolen, the first thing your employees should do is report it. A lot of phone recovery tools, like GPS tracking or remote wiping, require the phone to be on and in range of the wireless network to use. That means you have a limited time until either the batteries run out, or (if it was stolen) until the thieves remove the sim card, turn the phone off, or otherwise take it offline. As soon as the phone is reported lost, your IT department should lock it down using the remote control software you installed earlier. If the phone has GPS tracking, you should turn it on and immediately try to recover it, if it appears the phone was simply misplaced, or contact the police if it appears the phone was stolen.

If the phone is not recovered within the first few hours, you should have your IT team wipe the phone remotely to prevent any chance of your sensitive information falling into the wrong hands. All the contents of the phone should be backed up regularly to a secure server, so wiping a mobile device clean shouldn’t cause your company to lose any more than a few hours or a day of information.

Remember, security on mobile devices is quickly becoming as important, if not more so, than security on your desktops and corporate networks. Take the time to secure your devices before the worst happens and it’s too late.