security

How to Best Manage Passwords

How to Best Manage Passwords

The average person can have nearly 100 passwords (or more!) when combining professional and personal accounts and services. That is a lot to remember! Many often use the same email and password for many (if not all) accounts, so they have less to remember. This is the number one liability for accounts online: password reuse. If a popular streaming service suffers a security breach, you may not be too concerned with someone watching a show on your account. However, if your log in information for this service is the same for your banking or other sensitive accounts, the damage can be much more severe. When sites suffer a breach, the hackers immediately try those credentials on banking, email and other sites to see how many areas they can log into with one password. So, it is vitally important to have a different password for every account. In addition, to be really secure, your passwords should all be at least 15 characters (some cybersecurity analysts recommend 25 characters.) How is it humanly possible to remember up to 100 unique lengthy passwords? It’s not! That’s where password managers come into play. A password manager will become your best friend, because it takes care of three critical tasks for you:
  1. It generates lengthy, complex passwords for each of your accounts or logins
  2. It stores these complex passwords in a digital “vault”
  3. It automatically fills in this complex password every time you log into a site
People often say “I’m already using my Internet browser to save my passwords – isn’t that the same thing?” No! Browsers are designed for us to surf the Internet, and although they can store passwords, it doesn’t mean that your passwords are secure. It also means your passwords would be in one browser, so they wouldn’t be available if you use a different browser. Whereas with a password manager, you could log into your personal vault from any browser, making them much more versatile. What if the Password Manger is compromised? Great question! LastPass has been hacked multiple times, but the number of compromised passwords? ZERO. LastPass encrypts all passwords, so the company never sees your passwords, keeping your passwords secure even if a security incident occurs. To find the best password managers for you, your family, and/or your business, we recommend Googling “Best Password Managers”, and you will see a number of reviews of the top password managers available today. Also, please contact your Program Manager to ensure your organization is enrolled in designDATA’s complimentary Dark Web Scan offering which will notify you if any account in your organization has shown up on the Dark Web. Stay safe out there! by Imran Khan

Changing Password over VPN

Even with so many working remote in these tumultuous times, security practices such as regular password expiration dates keep looming before us. While we at designDATA are always here to walk you through how to handle this process, here are some tips on how you can do so yourself!

While you are working in the office, you have the convenience of being on the same network as your domain, meaning that if your password needs to be changed, all you need to do is the simple CTRL+ALT+DEL to pull up the ‘Change a Password’ menu.
While the process is largely the same when remote, you also need to make sure that you are connected to your VPN, which simulates being connected to your office network. For most of our customers using the Sophos VPN, that will be the little traffic light icon you should find in the lower right-hand corner of your screen.

Once connected to the Sophos VPN, you can enter the ‘Change a Password’ screen as normal by pressing CTRL+ALT+DEL, and choosing your password. Remember that you will need to enter your new password twice, just as a confirmation!

Once you’ve changed your password, make sure you’re still connected to the VPN by checking to see that the icon is still showing the “green light” and then LOCK your computer twice. This is to ensure the new password is confirmed both on the network as well as on your local computer, as it doesn’t always do so the first time around. If you want to be absolutely sure that it has worked after locking and logging back in twice, you can also sign out and back into the VPN. If you can sign back in, it’s been changed at the domain level as well!
If you’re working from a Mac, or you aren’t a VPN user, your instructions will be different and are specific to your organization. Please contact the designDATA service desk for assistance.
Remember, if you have any issues with any of this, our technicians are standing by to help assist you with your password update or any other needs. We can be reached at service-request@designdata.com, or by calling your client-specific service desk numbers, 24/7.

designDATA’s plan of action during COVID-19

As many of you may have heard, the President has extended the social distancing guidelines to April 30th with the possibility of going past that date. designDATA will continue working remotely and suspending onsite engagements according to the Federal guidelines.

During these times while working from home, we understand a focus on productivity and collaboration is of high importance. Our aim is to be of greater resource to you and your organization during these times.  If you are in need of IT solutions at this time please contact us at https://www.designdata.com/contact-us/ .

Access our blog via our website for tips and tricks on cybersecurity, Microsoft Teams, eSign solutions, other relevant subjects to improve IT productivity in this remote working environment.  https://www.designdata.com/resources/blog/

Why autocomplete passwords are risky

Many people use auto-fill passwords for their convenience. What you might not know is that hackers and advertisers can use them to get access to websites and other applications and gather sensitive information. Learn more about the risks of using autocomplete passwords.

Why auto-fill passwords are so dangerous

Certain web browsers have integrated features that enable usernames and passwords to be automatically entered into a web form. There are also password manager applications that have made it easy to access login credentials. But these aren’t completely safe. They can become a liability if hackers gain access to computers or browsers.

For example, if a hacker gains access to just one account, it’ll be easier for them to obtain access to other accounts because the autocomplete feature will fill in all other saved credentials.

Tricking a browser or password manager into giving up saved information is incredibly simple. All a hacker needs to do is place an invisible form on a compromised webpage to collect users’ login information.

Using auto-fill to track users

For over a decade, there’s been a password security tug-of-war between hackers and cybersecurity professionals. Little do users know that shrewd digital marketers also use password auto-fill to track user activity.

Digital marketing groups AdThink and OnAudience have been placing these invisible login forms on websites to monitor the sites that users visit. AdThink and OnAudience track people based on the usernames in hidden auto-fill forms and sell the information they gather to advertisers. While the intention is not to steal passwords, there’s always the likelihood of exposure.

One simple security tip for today

A quick and effective way to improve your account security is to turn off auto-fill in your web browser. Here’s how to do it:

  • If you’re using Chrome – Open the Settings window, click Advanced, and select the appropriate settings under Manage Passwords.
  • If you’re using Firefox – Open the Options window, click Privacy, and under the History heading, select “Firefox will: Use custom settings for history.” In the new window, disable “Remember search and form history.”
  • If you’re using Safari – Open the Preferences window, select the Auto-fill tab, and turn off all the features related to usernames and passwords.

Being cautious about your password security habits can go a long way in protecting your sensitive data. For managed, 24/7 cybersecurity assistance that goes far beyond protecting your privacy, call us today.

Top reasons for technology business reviews

Businesses need technology to be profitable and productive. But not all technologies are capable of delivering on their perceived benefits. To make sure your investments are worth keeping, you need to perform technology business reviews.

A technology business review reveals the strengths and weaknesses of your company’s IT framework. It’s often performed by a third-party IT consultant who will give an objective assessment of your technology and provide recommendations to help you meet your goals. If done properly, technology business reviews allow you to:

Save money

Every review starts with a cost-benefit analysis to determine whether an implemented solution is worth the continued investment. If there are technologies costing you a fortune in management and maintenance fees, consultants will advise you to cut them from your budget. The best ones will recommend cost-effective alternatives so you can do more with less.

Increase productivity

System-wide reviews of your IT infrastructure show you what processes are hindering business operations. This allows you to formulate solutions to increase productivity. For example, if employees are mainly sharing files via email, consultants might suggest cloud collaboration platforms, like Office 365 or G Suite, that store data in a centralized location for seamless file sharing.

Enhance security and compliance

Technology business reviews can also uncover security risks within your business. Consultants look for missed patches, poorly configured networks, and other software vulnerabilities that can be easily exploited by cybercriminals.

They’ll then compile their findings to create a more robust cybersecurity strategy, usually, one that involves implementing advanced solutions like intrusion prevention systems (IPS), file access restrictions, and patch management software.

If you operate a business that’s subjected to data regulations like the Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS), consultants will also pinpoint IT practices and solutions that are noncompliant and customize a strategy that ensures the privacy, integrity, and availability of your data.

Implement technologies that fit

Considering that new technologies are released at a breakneck pace, it’s important to pick those that will help you achieve your business goals. Technology business reviews keep you up to date on the latest technology trends and gauge the impact of implementing them so that you can make informed decisions.

Whether your goal is to increase profits, productivity, security, or all of the above, technology business reviews can put you on the right track. Our seasoned IT consultants can conduct these reviews for you and develop a strategy that gives you an edge over the competition. Just give us a call.

Security audits are more crucial than they seem

Security audits are an excellent way to set the benchmark for your company’s data integrity. It is also a reliable way of identifying gaps in your system before they can be exploited by hackers.

Auditing and the security strategy

Audits are necessary to maintain system integrity and uphold quality. These system checks help identify security gaps and guarantee business stakeholders that the company is doing everything in its power to ensure that all of its information is uncompromised.

The three key procedures of an audit are assess, assign, and audit. Having a methodical way of auditing helps you avoid missing important details. It is also crucial that each stage is treated with the same level of importance to ensure thorough and comprehensive auditing.

During the assessment phase, have your IT partner look at the security system you have in place. All of your business computers and servers need to be checked, as well as every program and every user. Doing an assessment should give you an overview of how secure your business currently is, along with any weak points that need to be improved.
After the assessment, you may begin assigning solutions and solution providers. Ask your IT provider about solutions they can provide for each of your network/system gaps. And for issues that they can’t handle (perhaps because certain machines and software are highly specialized), ask your IT provider for their whitelist of partners.

Finally, you conclude your audit cycle with an “audit” — one last look-around before releasing the system back into the wild. Make sure that installations, patches, and upgrades are integrated properly and working seamlessly. For future reference, you’ll also want to take down notes just in case you need information about software and hardware improvements done during this audit cycle.

What exactly should be audited?

When conducting an audit, there are three factors you should focus on:

The state of your security – Security — especially digital security — is never at an impasse, and it is always in flux. Why? Because according to the Clark School at the University of Maryland, hackers attack every 39 seconds. And that’s not even accounting for other cyberattacks such as phishing, ransomware, and malware. This means that system security has shorter and shorter expiration dates nowadays, which makes audits all the more crucial to accomplishing your security strategy.

The changes made – The key to having long-term data integrity is a continuity plan — and not just one that addresses severe business disruptions such as those caused by calamity or disaster. A true continuity plan tries to address every conceivable risk realistically, especially those that can trip up business operations, such as cyberattacks. This can only be possible if you know what kind of hardware and software comprise your system, as well as their respective updates and improvements.

Who has access to what – Data systems — even proprietary ones — should allow administrators some control over who sees what. Total accessibility is a very dangerous prospect, especially since business nowadays is increasingly hinged on internet presence. An audit will let you check on user access so that you can make necessary adjustments to protect your data.

If you are looking for help in developing a security strategy for your business, contact us today to see how our managed solutions can help.

How to strengthen your BYOD security

Mobile technology has drastically changed the way we live. And just as many people have “cut the cord” in their homes and now rely on their smart devices, businesses are now adopting the bring your own device (BYOD) trend culture. But BYOD also opens your organization up to cybersecurity risks. Here’s how you can improve BYOD security.

Whether your employees are using smartphones, tablets, or laptops, you need a BYOD security policy. Additionally, you need to be aware of the key BYOD security risks:

  • Loss or theft of device – Employees often bring their personal devices wherever they go. This means there’s a higher chance of devices being lost or stolen, and a greater risk of the company data that’s stored or accessed on these being compromised.
  • Data loss – In the event that a device is lost, stolen, or damaged, any locally stored data may be lost permanently if it’s not backed up in real time.
  • Man-in-the-middle (MITM) attacks – Public Wi-Fi spots are convenient for getting some work done, but they’re also popular hunting grounds for cybercriminals who use MITM to intercept data being transmitted over public networks.
  • Jailbroken devices – Jailbreaking is the process of removing the restrictions imposed by the manufacturer of a device, typically to allow the installation of unauthorized or third-party software. This increases the risk of an employee inadvertently installing malicious software on a personal device.
  • Security vulnerabilities – Every operating system (and the software that runs on it) has its own unique set of security flaws and vulnerabilities, which means that allowing staff to use any device and operating system increases the risk of a data breach or malware infection.
  • Malware – A personal device that has been infected with malware can spread that malware to other devices connected to the company network and cause data loss and downtime.

To mitigate risks, it’s important to devise a BYOD security policy that works for the needs of your business as well as the needs of your employees. Here are some tips:

Make passwords compulsory on all BYOD devices

Prevent unauthorized access to company data by enforcing the use of passwords on all BYOD devices. Passwords should be long and unique.

Create a blacklist of prohibited applications

Blacklisting involves prohibiting the installation of certain applications on BYOD devices that are used for work purposes. This includes applications such as file sharing and social networking apps. The simplest way to blacklist applications is through a mobile device management platform that enables IT administrators to secure and enforce policies on enrolled devices.

Restrict data access

Adopt the principle of least privilege on both BYOD and company devices. This means that a user is able to access only the data and software required to do their job. This can reduce the effects of certain types of malware and limit the fallout in the event of a data breach.

Invest in reliable security solutions for devices

Protect BYOD devices with reputable antivirus software to identify and stop threats before they can make changes to the device. This is vital for protecting mission-critical data and avoiding downtime.

Backing up device data

A well-thought-out BYOD policy can go a long way toward minimizing the risk of a security breach, but if something manages to slip past your defenses, you need a process in place for restoring your data to its former state. Have a comprehensive backup strategy to ensure that any data stored locally on a BYOD device can be quickly recovered.

Educate your staff about security

The vast majority of BYOD-related security risks involve human error. Educate your employees about proper mobile safety. This includes how to spot apps that could contain malware, sharing security threat updates, and teaching them how to secure their devices by going beyond default security settings.

It’s also a great idea to work with an IT partner like us. As experts, we keep tabs on the latest trends and innovations related to BYOD and will recommend solutions that work for your company. Contact us today to see how we can help.

Fix these enterprise security flaws now

As businesses have become more reliant on digital technology for day-to-day operations, they’ve also become a favorite target of internet threats. If you want to protect your organization from cyberattacks, make sure your security is clear of the following flaws.

Open wireless networks

With one main internet line and a couple of wireless routers, a whole office can go online. A wireless internet connection saves money, but there is an inherent risk that it’s an unsecure network.

If you need a secure network, plugging in a wireless router and creating a basic network is not enough. If you don’t set a password on your routers, then anyone within range can connect. With fairly simple tools and a bit of know-how, hackers and criminals can start capturing data that goes in and out of the network, and even attacking the network and computers attached.

Therefore, you should take steps to ensure that all wireless networks in the office are secured with strong passwords. Many internet service providers that install hardware when setting up networks will often just use an easy password for the router, such as the company’s main phone number. These need to be changed.

Email is not secure

Most companies that have implemented a new email system in the past couple of years will most likely be secure. This is especially true if they use cloud-based options or well-known email systems like Exchange, which offer enhanced security and scanning.

The businesses at risk are those using older systems like POP, or systems that don’t encrypt passwords (what are known as “clear passwords”’). If your system doesn’t encrypt information like this, anyone with the right tools and a bit of knowledge can capture login information and compromise your systems and data.

If you are using an older email system, it is advisable to upgrade to a newer one, especially if it doesn’t use encryption.

Mobile devices that aren’t secure enough

Mobile devices offer a great way to stay connected and productive while out of the office. However, if you use your tablet or phone to connect to office systems but don’t have security measures in place, you compromise your networks.

Imagine you have linked your work email to your tablet but don’t have a screen lock enabled, and you lose your device. Anyone who picks it up will have access to your email and all your sensitive information. The same goes if you install a mobile device app with malware on it. Your infected device will spread this malicious program to your entire network and cause major disruption to your business.

Take steps to ensure that employee devices have adequate security, such as passcodes, and that your company has sufficient security policies in place to govern their use. Lastly, mobile device management solutions are specifically designed to prevent your bring your own device (BYOD) policy from being a risk with employee devices causing havoc to your network.

Anti-malware software that isn’t maintained

These days, it is essential that you have anti-malware software installed on all devices in your company, and that you take the time to configure these properly.

It could be that scans are scheduled during business hours. If you install these solutions onto your systems and they start to scan during work time, most employees will just turn the scanner off, leaving your systems vulnerable.

The same goes for not properly ensuring that these systems are updated. Updates are important for software, especially anti-malware applications, because they implement new databases that contain recently discovered threats and the fixes for them.

Therefore, anti-malware software needs to be properly installed and maintained if they are going to even stand a chance of keeping systems secure.

Lack of firewalls

A firewall is a network security tool that can be configured to block data traffic from entering and leaving the network. For instance, it can protect data from being accessed from outside the network. While many modems or routers include firewalls, they are often not robust enough for business use.

What you need is a firewall that covers the whole network at the point where data enters and exits (usually before the routers). These are business-centric tools that should be installed by an IT partner like a managed services provider (MSP), in order for them to be most effective.

How do I ensure proper business security?

The best way a business can ensure that their systems and networks are secure is to work with an IT partner like us. Our managed services can help ensure that you set up proper security measures in place and that they are managed properly. Tech peace of mind means your focus can be on creating a successful company instead. Contact us today to learn more.

5 Security issues to look out for

The security of your systems and technology is a constant battle, and one you will likely never completely win. There are significant steps you can take to secure your systems, but having knowledge about your systems is one of the most effective tools. If you know how your systems can be breached, you can ensure a higher level of caution and security. Here are five common ways business systems are breached.

#1. You are tricked into installing malicious software

One of the most common ways a system’s security is breached is through downloaded malware. In almost every case where malware is installed, the user was tricked into downloading it.

A common trick used by hackers is planting malware in software hosted on warez and torrent websites. When users visit the site, they are informed that they need to download the software in order for the site to load properly. Once downloaded, the malware infects the system. In other cases, hackers send emails with a malware-infected attachment.

There is a nearly limitless number of ways you can be tricked into downloading and installing malware. Luckily, there are steps you can take to avoid this:

  • Never download files from an untrusted location. If you are looking at a website that is asking you to download something, make sure it’s from a company you know and trust. If you are unsure, it’s best to avoid downloading and installing the software.
  • Always look at the name of the file before downloading. A lot of malware is often disguised with names that are similar to legitimate files, with only a slight spelling mistake or some weird wording. If you are unsure about the file, then don’t download it. Instead, contact us so we can verify its authenticity.
  • Stay away from torrents, sites with adult content, and video streaming sites. These sites often contain malware, so avoid them altogether.
  • Always scan a file before installing it. Use your antivirus scanner to check downloaded apps before opening them. Most scanners are equipped to do this by right-clicking the file and selecting Scan.

#2. Hackers are able to modify the operating system (OS) settings

Many users are logged into their computers as admins. Being an administrator allows you to change all settings, install programs, and manage other accounts.

If a hacker manages to access your computer with you as the admin, they will have full access to your computer. This means they could install other malicious software, change settings, or even completely hijack the machine. The biggest worry about this, however, is if a hacker gets access to a computer used to manage the overall network. Should this happen, they could gain control of the entire network and do as they please.

To avoid this, limit the administrator role only to users who need to install applications or change settings on the computer. Beyond this, installing security software like antivirus scanners and keeping them up to date, as well as conducting regular scans, will help reduce the chances of being infected, or seeing infections spread.

#3. Someone physically accesses your computer

These days, it seems like almost every security threat is trying to infect your IT infrastructure from the outside. However, there are many times when malware is introduced into systems, or data is stolen, because someone has physically accessed your systems.

Let’s say you leave your computer unlocked when you go for lunch and someone walks up to it, plugs in a malware-infected USB drive, and physically infects your system. They could also access your system and manually reset the password, thereby locking you out and giving them access.

Secure yourself by setting up a password to control access to your computer. You should also lock, turn off, or log off from your computer whenever you step away from it.

Beyond that, disable drives like CD/DVD and connections like USB if you don’t use them. This will limit the chances of anyone using these removable media to infect your computer.

#4. Someone from within the company infects the system

We’ve seen a number of infections and security breaches that were carried out by a disgruntled employee. They could delete essential data, or remove it from the system completely. Some have even gone so far as to introduce highly destructive malware. The most effective way to prevent this, aside from ensuring your employees are happy, is to limit access to systems.

Your employees don’t need access to everything, so reexamine what your employees have access to and make the necessary adjustments. For example, you may find that people in marketing have access to finance files or even admin panels. Revoke unnecessary access rights and ensure that employees only have access to the files they need.

#5. Your password is compromised

Your password is the main way you can verify and access your accounts and systems. The issue is, many people have weak passwords. And with the steady increase in the number of stolen user account data, it could only be a matter of time before they can crack your password and compromise your account.

To add insult to injury, many people use the same password for multiple accounts, which could lead to a massive breach. Therefore, you should use strong and different passwords for your accounts.

To further enhance your password security, utilize multifactor authentication (MFA), which uses more than one method of verifying a user’s identity, such as a fingerprint or a one-time code.

If you are looking to learn more about securing your systems, contact us today to learn how our services can help.

A primer on watering hole attacks

Cyberattacks come in many different forms, with new methods being developed all the time. What’s bad is that personal information is now often stored online, be it through social media or through government and healthcare services — and these are juicy targets for criminals. Learn more about one way these criminals steal data — through watering hole attacks.

What are watering hole attacks?

Watering hole attacks are used to distribute malware onto victims’ computers in a similar way phishing activities are conducted. Cybercriminals infect popular websites with malware, and anyone who has had the misfortune to visit have their computers automatically loaded with malware.

The malware used in these attacks usually collects the target’s personal information and sends it back to the hacker’s server. In extreme cases, the hacker will actively take control of the infected computer.

But how does a hacker choose which websites to hack? With internet tracking tools, hackers find out which websites companies and individual users visit the most. They then attempt to find vulnerabilities in those websites and embed them with malicious software.

With such highly skilled hackers these days, virtually any website can fall victim to a watering hole attack. In fact, even high-profile websites like Twitter, Microsoft, Facebook, and Apple were compromised in 2013.

You can protect yourself by following these tips:

Update your software
Watering hole attacks often exploit holes and vulnerabilities to infiltrate your computer, so by updating your software and browsers regularly, you can significantly reduce the risk of an attack. Make it a habit to check the software developer’s website for any security patches. Or better yet, hire a managed IT services provider to keep your system up to date.

Watch your network closely
Regularly conduct security checks using your network security tools to try and detect watering hole attacks. For example, intrusion prevention systems allow you to detect suspicious and malicious network activities. Meanwhile, bandwidth management software will enable you to observe user behavior and detect abnormalities that could indicate an attack, such as large transfers of information or a high number of downloads.

Hide your online activities
Cybercriminals can create more effective watering hole attacks if they compromise websites only you and your employees frequent. As such, you should hide your online activities with a VPN and your browser’s private browsing feature. Also, block social media sites from your office network, as these are often used as share points of links to infected sites.

At the end of the day, the best protection is staying informed. As cyberthreats continue to evolve, you must always be vigilant and aware of the newest threats. Tune in to our blog to find out about the latest developments in security and to get more tips on how to keep your business safe.

Published with permission from TechAdvisory.org. Source.