Don’t Give Up on Password Managers

by

Seeing a major password manager breached, it’s hard not to throw up your hands and say, “it’s helpless.” Still, don’t give up on all password managers. Used properly, they are still better than a password spreadsheet or sticky notes of your credentials. Plus, it’s definitely smarter than reusing the same password to access more than one account.

According to LastPass, the December breach affected 30 million users and 85,000 businesses. Threat actors stole a large amount of data, including encrypted customer vaults. Industry experts are not enthusiastic about the breach handling or why it happened. So, leaving LastPass may make sense.

Yet abandoning password managers may not help you secure your sensitive data. Instead, prefer a cloud-based password manager that has no way of decrypting your data. This is a zero-knowledge password management architecture, which means that you are one with the secret key needed to access your encrypted data. That way, if the data is stolen or lost, the threat actors would still need to decode your key.

This means, of course, that you need to protect your secret key. Also, you need to make it complicated enough that the bad actors can’t hack it. So, using “password123” as your secret key would not be secure. Many security experts now recommend using a passphrase instead of complicated passwords.

Enforce Multi-Factor Authentication

Multi-factor authentication (MFA) helps stop bad actors by making access more difficult. They can’t get in with a username and password alone. You add another variable for confirmation before they can compromise your account.

You’re likely already familiar with two-factor authentication. It’s typically done through a text message or an email to another account, but these can both be compromised as well.

Biometric MFA is typically best (e.g. fingerprint or face identification). If that’s not available, prefer an authenticator app (e.g. Microsoft authenticator) or a Fido 2.0 key (e.g. YubiKey).

A Fido 2.0 key is a USB device that you keep in your physical possession to provide passwordless MFA logins. Instead of having an authentication code sent to you, you press a button on your key. It sends your code to confirm your identity. When your unique code is received, the system logs you in.

Worried you’d lose the physical key? That’s not ideal. That’s why it’s a good idea to get two. Meanwhile, the Fido 2.0 key doesn’t store identifiable usernames or any of your passwords. So, anyone finding that lost key would have no way of knowing what you use it to authenticate.

Ultimately, it’s best to prepare for any service to be breached. Cut your risk by keeping up with the latest technology for protecting your data. We can help. Contact our experts today to help you put appropriate security measures in place. Call us at (515)422-1995.

Say Goodbye to 100 Passwords with Passkey Sign-on

by

The average individual has 100 passwords to remember, according to a NordPass study. Apparently, no one has studied how many we actually remember versus how many we reset over and over. No matter. New developments could save us from having to remember passwords altogether, as major players are moving to a single passkey sign-on approach.

What is passkey sign-on?

Apple, Google, and Microsoft have joined forces to support “passwordless” sign-in across all their mobile, desktop, and browser platforms. The initiative, announced in May to coincide with World Password Day, is expected to roll out in 2022/23.

What does passkey login involve? Users choose a physical device to use to authenticate them on apps, websites, and other digital services. For many of us, this would be a mobile phone. You’d unlock the phone as you normally do. Then, you could enter a PIN, draw a pattern, or use your fingerprint to sign into the digital services you need.

To put it simply, it’s a four-stage process:

  1. You navigate to the site or app or service you want to use.
  2. You approve access using your passkey device.
  3. A public passkey (mirroring the private one on your device) is shared.
  4. Login is completed.

You don’t need a password, because the login is done using a cryptographic token (the passkey). Your selected device shares that passkey with the website, app, or other online services.

Advantages of the passkey

Using a passkey means you need to remember only the one PIN or pattern to unlock access … or have fingertips! And you don’t have to come up with a complicated passphrase either, which means no more frustrating upper and lowercase character, number, and symbol combo.

The passkey sign-in method is touted as more secure. Passwordless authentication makes it more difficult for hackers to compromise login details. After all, they would need access to the physical device you use to access digital services, apps, and websites.

You keep personal information safe and cut password vulnerabilities that plague us today:

  • Phishing attacks, which use fake websites to capture login details, won’t work.
  • Brute-force attacks, which use trial and error to guess credentials, won’t get anywhere.
  • Spoofing your device will no longer work, as the passkey device must be near the computer.

Another plus? Passkey security is being set up to offer multi-device authentication. You’ll be able to sign in to an app or service from almost any device, and it won’t matter what platform or browser you’re using. So, you could sign in to Google Chrome and run Microsoft Teams using your iPhone, for instance.

Making the most of multi-factor authentication

Passkey security will use a FIDO standard to authenticate you in different contexts. This is a passkey protocol already supported in some online environments, but major players are now coming together to make it more widespread.

With a passkey that is unique to you, you’ll no longer have to worry about keeping track of multiple passwords.

Still, until this technology is available, you’ll want to protect your online activity. Our experts can help secure your home networks and set you up with a password wallet. Contact us today at (515)422-1995.

How to Prevent Password Spraying Attacks

by

Bad cyber actors are what the kids these days would call “try hards.” They do everything they can think of to get into your accounts. One tactic is password spraying. In case you don’t know about it, this article gives the basics and shares strategies to prevent this type of attack.

You’re probably familiar with hackers trying many different password combinations with the username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.

This brings us to password spraying. The cyber criminals have found a way to get around the-three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.

Think how easy this could be. Your company database is online for people to contact your employees. The bad actor takes john@yourcompany.com, jane@yourcompany.com, jamal@yourcompany.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.

“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.

The brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.

What to do about password spraying

The most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! Do you think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the “123456” password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.

So, prefer more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords.

IT administrators can also force users to change passwords at their first login to new applications. NIST further recommends checking every new password against a breached password list.

Multifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app.

It’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.

Put password best practices in place

Keep your business secure with the help of a managed service provider. We can spearhead the installation of lockout policies and other security measures. Our experts also stay current with the latest vulnerabilities to proactively protect your organization. Call us at (515)422-1995.

3 Reasons to Avoid Signing in With Facebook or Google Accounts

by

Nine out of ten times today when you visit a website you’re asked to sign in. To add convenience, many sites offer the ability to sign in using a Facebook or Google account. Sure, it’s simpler, but this article will share three key reasons why you might want to avoid this easy route.

It’s estimated that we each have an average of 100 passwords. That’s a lot to remember, especially as we need unique logins for every site to lower our risk of cyberattack.

At the same time, every website wants us to set up an account. It helps them get to know their users. This can help them to target marketing and product development efforts. They might also share the information with third parties as another source of income.

Still, the website wants to keep its users coming back, so they allow you to sign in with Google or Facebook accounts to streamline the process. Weigh the value of that added convenience against these three considerations.

#1 Youre giving away more data

By using Google or Facebook to sign in on other websites, you are giving the sites greater access to information about you. Now, they not only know what you do on their sites, but you’re also allowing them to build out their picture of you with data insights from the shared sites.

Google and Facebook have powerful tools to dig deeper into your online activity, and other websites can also extract data from your Facebook and Google accounts. If you don’t read the privacy policies, you may not know what sensitive data the platforms share.

#2 You could lose access

You may join those who are deciding to quit Facebook or leave Google in favor of another platform. If you do so, and you have used that account to access other sites, you’ll have to create new logins.

Even if you’re not ever going to do away with your Facebook or Google account, you could still lose access. If there’s a major outage at one of those two sites, you won’t be able to log in at any of your connected sites either. The other websites won’t be able to authenticate you until Facebook or Google is back up and running.

#3 Your attack surface gets bigger

If you have one, unique login credential for a website, you risk your data there only if that site gets hacked. However, if you use Facebook or Google login, and bad actors compromise that account, they can access any shared sites.

Think of it like dominos. The Facebook or Google account is the first to fall, but all those other accounts you “conveniently” login to using those credentials will come tumbling down soon after. Don’t think the attacker won’t bother looking for other connected accounts. All they have to do, once they breach one account is go into your settings to see what you have connected.

Social media accounts are also a prime target. Don’t believe us? Bet you’ve seen a post from a Facebook friend (or ten) telling you to ignore strange activity due to a hacked account.

Protect your online identity

Account compromise is a top cause of data breaches worldwide. Protect your online identity by following best practices for cyber hygiene.

Need help with password security? Our IT experts can set you up with a password manager or provide other online security help. Contact us today at (515)422-1995!

The Unexpected Benefits of Password Managers

by

The main advantage of a password manager is obvious to anyone with more than one account online (i.e. everyone). Instead of remembering all 100 usernames and passwords, the password manager autofills them. It’s a boon. But it’s not the only reason to use a password manager. This article shares several more unexpected benefits.

Password manager programs generate, manage, and store many different passwords. You may be concerned about whether a password manager is safe to use. But, the cybersecurity industry consensus is “yes, it is.”

A password manager uses top-notch encryption to protect passwords. Plus, they take a zero-knowledge approach. They can’t actually see the passwords they store and prefill on sites. The password is encrypted before it reaches the manager’s server and can’t be deciphered. This is why you need to be so careful not to forget your master password!

That said, the password manager offers more than a vault for encrypted credentials.

More Benefits of Password Managers

For one thing, many password managers have apps for download onto mobile devices. Then, you can use the password manager to prefill forms on those, too. This gives you the advantage of convenience not only on your desktop computer but also on the go.

Some password managers offer added security benefits, as well. They might:

  • warn you of weak password and login credentials;
  • remind you to change your passwords;
  • notify you if your passwords may have been compromised in a breach;
  • advise you against repeating access credentials if you’re about to do so.

Another advantage is that you can conveniently share passwords with others. Maybe you want to give family members shared access to streaming accounts or allow a work colleague access to applications you’re using remotely. A managed password sharing feature can allow them to see selected passwords. You aren’t showing everything: you can pick what you make available. Plus, when you change your credentials, the password will change on their end, too. This doesn’t need to be permanent either. You can easily revoke password sharing.

You can also use a password manager to secure other important information. You might store things such as credit card numbers or other personal identifying information. Keeping that kind of data in an unencrypted note on your desktop or mobile device is unsafe, but you can take advantage of password manager encryption to safely store those precious details.

Secure your passwords with a manager

You can’t expect to remember all your unique passwords. Yet the days of writing down passwords on Post-it notes are over. Use cloud-based password management to secure your passwords and do more.

Contact our IT experts today to find out more about password management. We’re happy to suggest the best solution for your needs and set it up, too.

Call us now at (515)422-1995!

LetMeIn101: How the Bad Guys Get Your Password

by

Passwords are essential to your cybersafety. You know it, but if you’re like the rest of the digital society, you probably have dozens of passwords to remember. It’s a lot. So, you might take shortcuts. Taking advantage of your laissez-faire attitude is one way bad guys access your passwords.

Incredibly, there are still people out there using “password” or “123456” in their access credentials. Some people don’t change the default passwords on their devices. So, anyone can pick up a router, look at the sticker identifying the password, and access that network.

Tip: Avoid the obvious passwords! When you have to create a password, make an effort. When it’s time to update a password, do so. Steer clear of simple, easily guessed patterns.

Cybercriminals can also guess your password. With a little bit of research about you online, they can make some informed guesses. Common passwords include pet names, birthdays, and anniversaries. These are all easy to find via your social media accounts.

Tip: Be careful what you share on social media! Don’t befriend strangers, as you are giving them access to a goldmine of info for personalizing an attack on you.

If that doesn’t work, criminals may try brute force. They might script an automation bot to run thousands of password permutations until they get a hit. The software will try a long list of common passwords and run through dictionary words to gain access.

Tip: Use a complex password with numbers, letters, and symbols or a passphrase. A passphrase is typically at least 19 characters long but is more memorable, as it unique to you.

The criminal may also be working with info from a data breach. In early 2019, a security researcher found more than 2.7 billion email/password pairs available on the Dark Web. Criminals accessing that database could use the data as a starting point, as many people duplicate their passwords across accounts.

Tip: Use a unique password for each site. Yes, that’s overwhelming to remember, and that’s also why you should use a password manager to keep track of it all for you.

Criminals can also access your account if you’ve used a hacked public computer. The bad guys may have installed a key logger on the computer. The logger records every key you press on the keyboard. Or they might have compromised a router or server to be able to see your information.

Tip: Be cautious about your online activity on computers or networks you don’t trust.

Of course, there’s one more method of getting your password that we haven’t addressed yet. It’s the familiar phishing attack. For instance, you get an email that looks like it was sent by your bank. Phishing typically has an urgent message and a link that directs you to what looks like a credible page.

Tip: Pay attention to who is sending the email and hover the mouse over the link to see where it goes. If you are concerned about your bank account, for example, open up a browser and type the URL manually rather than clicking the link.

These tips can help you to protect your valuable passwords. Still, setting up a password manager and amping up your internet security can help too. Need support getting ahead of the cybercriminals?

Contact our experts today! Call us at (515)422-1995

Time to Refresh Your Passwords

by

We often tend to be creatures of habit, particularly when it comes to technology. Passwords are a prime example. Many of us use the same logins for multiple websites and applications because we don’t have a photographic memory. A large percentage of users aren’t aware that this is one of the most significant security dangers they can face online. It has a simple fix too.

Regularly, in the news today, there are stories about major companies being hacked, their customer data stolen, and their customers left stranded. Hackers commonly use data stolen from one site to access others where login credentials have been reused between accounts. In some cases, access to bank accounts has been gained simply by using a compromised email account.

Businesses and individuals can face significant losses simply because a third party outside their control has been hacked or compromised.

The Danger Of Old Passwords

MySpace is a key example of why old and possibly forgotten services pose a security danger when passwords haven’t been regularly changed. Once a thriving popular network, the use of MySpace services declined drastically from 2007 onwards. While many people moved to new social networks, old accounts typically remained abandoned on their servers. Hundreds of millions of accounts remained on MySpace servers many years past the firm’s peak.

In 2016, MySpace suffered a data leak which exposed usernames, emails, and passwords of 360 million user accounts. Shortly after the hack, these details were published online for anyone to see. Many were used to access email accounts, servers, and accounts that shared the same details.

Shared Responsibility

Even if you have never had a MySpace or social media account personally, how many of your employees or coworkers have one or more? Many have had more social media, forum, or game accounts than they care to remember. Have their passwords been updated since 2016?

Your business network protects your systems, work, and intellectual property. For many firms it’s the single most critical component, the backbone to business operations. Keeping it secure regardless of the number of people, staff or clients using it is a crucial task.

Consider how many people currently have access and how many of those may reuse their password on another website or service. Just reusing your password once can expose you to the hacking of a third party entirely out of your control.

Password Management

Good security practice is to use a unique and strong password for every login you use. A strong password should include, where possible, capital letters, lowercase letters, numbers, and character symbols. Many consider this impractical or even impossible, but it is entirely achievable for every firm.

It is clearly impossible to manually remember a strong password for each one of the dozens of logins needed today. Few would even attempt to. A password manager makes storing, retrieving, and using unique passwords easy.

When using a password manager, an individual is required to remember only one single strong password to access a database which contains a different login password for each service. This database can be synced between multiple devices, saved and backed up to the cloud, and even used to create strong passwords for you.

Strong Protection

Password managers can be used to implement security policies that demand zero password reuse, between services or over time, and set strict limits over the duration a password can last. With the right policies in place, both your business and your employees are protected against attacks from hackers that have compromised third-party sites.

The maximum recommended lifetime of a password for any service is a single year. Make the start of the calendar year the time which you refresh your passwords and start new.

To help keep on top of your security and make sure your firm is safe well into the new year, give us a call at (515)422-1995.

Don’t Get Hooked by Spear Phishing Attacks

by

Phishing attacks have been around for a long time in IT. Designed to steal your credentials or trick you into installing malicious software, they have persisted in the IT world precisely because they have been so devastatingly simple and effective. Today, a more modern and more effective version of the same attack is commonly used.

A typical phishing attack involves an attacker sending out a malicious email to hundreds of thousands, if not millions of users. The attacker’s email is designed to look like it comes from a bank, financial service, or even the tax office. Often aiming to trick you into logging in to a fake online service, a phishing attack captures the login details you enter so an attacker may use them to enter the genuine service later.

By sending out tens of thousands of emails at a time, attackers can guarantee that even if only one half of one percent of people fall for it, there is a lot of profit to be made by draining accounts. Spear phishing is a more modern, more sophisticated, and far more dangerous form of the attack. It’s typically targeted at businesses and their staff.

A Convincing, Dangerous Attack

While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is targeted and precise. The attack is aimed towards convincing a single business, department, or individual that a fraudulent email or website is genuine.

The attacker focuses on building a relationship and establishing trust with the target. By building trust and convincing the target that they are who they are pretending to be, the user is more likely to open attachments, follow links, or provide sensitive details.

Consider how many times you have followed a link or opened an attachment just because it has come from a contact you have trusted before.

A Trusted E-mail

The malicious email can appear to come from a vendor you deal with regularly. It may even look like an invoice you are expecting to receive. Often attackers can simply substitute the vendors’ banking details for their own, hoping the target will not notice the difference.

Such an attack is very difficult to detect. It takes a keen eye, strong working knowledge, and constant awareness to keep your company protected. Even a single small mistake by an unaware member of staff can compromise your business accounts.

Defending Your Business

The key to stopping a spear phishing attack is education. Learning attack techniques, and how to protect against them is the single biggest thing you can do to enhance business security.

Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding. Are you expecting this email? Is the vendor attempting to rush you into a quick decision or transaction? Have you checked all the details are correct and as you expected? Sometimes a simple query to the vendor can protect you against worst-case scenarios.

In many cases, a phishing attack can be halted in its tracks with a strong IT security package. Web filtering prevents malicious emails and links from entering the network, shutting attacks down before any damage can be done.

Good Security Practice

As with many types of IT threat, good security practices help mitigate damage. Locking down security to ensure employees only access the systems they need helps to prevent damage spreading across the network.

Enforcing unique and strong passwords prevents leaked credentials from affecting systems related to the one that has been compromised. Getting employees set up with a password manager and good security policies can do the world of good to boost your security to the level it needs to be.

Give us a call at (515)422-1995 to audit your security practices. It could be the difference that secures your firm against sophisticated spear phishing attacks.

Is Your Physical Security as Good As Your Cybersecurity?

by

Headlines are often made by firms that have been hacked by “elite” cybercriminals. These events sound high tech, sophisticated, and interesting. The truth is almost always an amateur attacker chancing their luck with an unpatched security hole or bad password. Physical break-ins affect businesses far more commonly and cause much more damage, but get talked about far less.

Similar to technology hacks, most physical security threats come from criminals that chance their luck on businesses that look poorly secured. On a rare occasion, they may strike a business owner that has forgot to lock up or failed to set the security alarm.

By breaking in, these criminals exploit poor physical security to cause damage and steal valuables. Typically, by destroying or taking critical assets, a criminal may make a few hundred in profit while the total damage done to the business is counted in the tens of thousands.

While most IT security packages act automatically and always remain on, physical security needs to be made a daily habit and require periodic updates.

Threats Starting from Within

Every business should have secure locks protecting their doors. Many use an alarm system to add protection to valuable assets. However, there are common threats that neither of these can protect you from. How would your business be protected if the attack came from within your firm?

A disgruntled employee, or even a former employee, can do an enormous amount of damage to a business. Attacking their own business, an employee can likely do more damage during the day than a criminal could breaking-in overnight. Misplaced trust in the wrong individual can result in devastating consequences.

Employees typically have access to one of your business’s most valuable assets: data. A criminal may steal computer hardware to sell on for quick cash because most don’t fully understand the value of the data stored on it.

The value of the data in a business machine can easily exceed the cost of the hardware one hundred times over.

Physical Security Heists

For criminals who do understand the value of data; physical security can be the weakest spot in a business’s armor. In 2013, media streaming service Vudu suffered a break in where criminals stole server hardware to obtain credit card information stored within.

A technology savvy streaming firm is highly likely to have up-to-date IT with excellent security measures. Thieves looking for easy cash recognized that the best way to get to the data was through their comparatively weak physical security.

The best security packages in the world are completely infective if the keys are left in the door and physical hardware is easy to remove. This challenge of securing your data can be made even more difficult when using a location that must remain open to the public.

Securing Your Data with Good Security Practices

Keeping your customer data safe is one of the most significant responsibilities small business owners take on. It requires a duty to employ the best possible security practices to keep your customers safe. For a customer to have the trust to use your business over the competition, they have to see their concerns put to rest.

Locking down data access for employees so they can only view and edit what is strictly needed, protects both customers and the business against many kinds of damage; both accidental and malicious. Limiting device access, such as disabling USB ports to thumb drives or storage devices, helps to prevent data being copied and carried offsite.

Physically locking down a server in the location it sits is one of the best deterrents available to prevent against theft. Locked server racks are an excellent piece of physical security that works on top of the building security already in place.

Make sure your business is up to the task of securing its data. Give us a call at (515)422-1995 to audit both your digital and physical security.

Click to see our BBB Report

FOLLOW US

VISIT US

Privacy Policy