2 factor and phishing

2 factor and phishing

Usernames and passwords. They’ve been around a long time. They work, sorta. They work better with a password manager that helps you make strong passwords unique to each of your logins.

But usernames and passwords have many problems. You could easily watch someone type their password in a coffee shop. I was on a commercial flight not long ago, and an executive from a MAJOR bank logged into their system in the row in front of me holding their smartphone at eye level for the whole plane to see.

“2 factor” is a concept that has been around for a long time, and is much more straightforward than the marketing fluff may make it seem. The idea is to add a second method of authentication to your existing login. So in the case of a username and password login system, having something physical that you also have to authenticate with as another layer of security. Sometimes the second factor can be who you are. Your fingerprint is an example.

While not foolproof, adding more layers does make unauthorized access to your accounts more difficult.

And that’s a foundation of security: make it more expensive to steal than the information is worth.

It’s very common to see text messages be used as a second-factor authentication, but we highly recommend at least an Authenticator app like LastPass, or Google Authenticator. If you really want to step up your game, a physical device like a Yubikey is an excellent and affordable choice.

In our research adding hardware 2-factor authentication dramatically reduces the chance of employees being phished.

What are red and blue teams anyway?

What are red and blue teams anyway?

Inside baseball (metaphor) : It usually refers to a detail-oriented approach to the minutiae of a subject, which in turn requires such a specific knowledge about what is being discussed that the nuances are not understood or appreciated by outsiders.

Security professionals are a detail-oriented bunch. It goes with the territory, but as the person making the financial decisions, it’s important to know the high-level concepts when they are making a case for why you should spend more money on security.

This brings us to Red Teams and Blue Teams.

It’s pretty simple. These are the basics. There are nuances and not every strategy follows these concepts exactly.

Red Team:

An external team that tries to infiltrate, Phish, and tests your security program. Sometimes referred to as penetration testing, but that’s a more specific set of tasks. The red team may use social engineering, network attacks, vulnerability attacks and the like to defeat your security. It’s important to note that this isn’t just merely testing how strong the wall is you’ve built. Often your security is weakest inside that wall you’ve spent so much time building.

Blue Team: 

The (often) internal security team that defends against the Red Team. But also the real attackers.  Depending on the organization, this may be a separate team from your regular security team or made up of some of those members. The primary goal of this is to assume you’re ALWAYS being attacked and defend against this by refining security processes.

Remember that security doesn’t mean just building a bigger wall. Security is a process that needs constant attention and starts from the inside out.

 

 

 

What’s the first thing a hacker will do?

What’s the first thing a hacker will do?

Step one to breaking into any system and causing havoc is reconnaissance. An attacker will gather as much information about your environment as possible. They’ll look for security software, and make extensive lists of anything that your systems will tell them about themselves.

Then they’ll start to look at your users. Social engineering is one of the most common ways to get into a secure network. Why break in when you can get someone to let you in? This is why training and vigilance are so necessary.

Not too far into a targeted attack, they start to access your Active Directory system. Why? Because Active Directory knows where everything is. It’s precisely what it’s designed to do.

It knows:

  • Users
  • Groups
  • Network Shares
  • Endpoints
  • Servers
  • Domain Controllers
  • Routing Tables

Once they get this information, looking for places that are good to attack becomes easy. As they gain access to more systems, this process snowballs.

You are owned.

Those are words that you do not want to hear.

Now stealing information and documents becomes easy.

What are you doing to protect your active directory? Are you monitoring your Active Directory and actively securing it?

We can help.

It’s intern time

It’s intern time

As longtime security leaders and innovators, we can say categorically that while you can learn concepts in school, that’s never enough to actually perform real-world security tasks.

We’re into our second year of the intern program at Assurance Data “University”.  Every Friday our Chief Strategy Officer Chuck Sirois leads an intensive training program online to a select group of up and coming security experts.

This month we’re covering topics like:

  • Attack Vectors
  • Keeping up with the daily changes in security threats
  • How to mitigate security problems.

Interested in becoming the next security leader? Email us at md@assurancedata.com.

 

 

Tips and Tricks Tuesday: Two tips for keeping yourself secure

Tips and Tricks Tuesday: Two tips for keeping yourself secure

Security depends very much on your actions as an end user. The more secure you are personally, the more secure you organization can be.

Let’s start with a simple things you can do right now to make yourself more secure.This week we’ll focus on passwords and authentication.

Use a password manager AND a different password for EVERY account

Data breaches happen. But it’s easy to mitigate the damage if you use completely different passwords for EVERY login. Managing this is easy with apps like Lastpass and 1Password (there are many others). You remember one login, and the app helps you generate secure passwords you don’t even have to know for every service.

Surely you can see how “!D4sL@nN1pJRbG” is a better password than your kids birthday right?

Turn on 2 factor everywhere it’s available

Most major services, from Facebook to Flickr offer a free way to get a text or use an authentication app like Lastpass authenticator to give you a second layer of password protection. This isn’t perfect, especially if you use text messages for this, but it’s better than your password alone. Check with your help section in the app on how to enable this and do it for EVERYTHING.

These two simple things can help make you dramatically more secure in your day to day internet interactions. Need a solution for enterprise password management or authentication? Let us know.

 

 

AssuranceData Meltdown/Spectre Security Alert

AssuranceData Meltdown/Spectre Security Alert

Spectre and Meltdown Overview and Mitigation Details

Overview: As of January 3rd, 2018, multiple vendors started publicly releasing patches for CRITICAL security flaws related to modern CPU architecture vulnerabilities “Spectre” and “Meltdown”.

  • Spectre: Exploits speculative (predictive) execution to allow user process to see Kernel memory
  • Meltdown: Exploits a Kernel process flaw that runs rogue data (out of order execution) when a process is faulted from a user process

Updates:

Windows has updates [MANUALLY DEPLOYED] in some cases.

The patches can conflict with certain Antivirus products and cause a blue screen. o To get the patches, a registry key must be set
Some AV vendors are setting the registry key automatically
Other hardware firmware updates are often required

Mitigations:

  1. Update Firmware on all devices when related patches are released
  2. Update all Operating systems when related patches are released
  3. Provide layered security protections, behavioral analytics, and data transmission monitoring and control
  4. Spectre/ Meltdown system health checks
  5. Spectre/ Meltdown exploit detection tools