Multi-Factor Authentication

Once again high profile hacking is in the news.

Accounting firm, and security advisor Deloitte was illegally accessed by unnamed hackers last month who had managed to compromise an administrator account and used it to access one of Deloitte’s Microsoft Azure accounts. So far, at least six of their clients have been informed that data including usernames, passwords, IP addresses, architectural diagrams and health information was accessed by the hacker. Deloitte is still reviewing the breach and contacting affected parties.

A question many are asking is “How did such a large company with so much experience in cybersecurity get breached?” and the answer is simple. “They didn’t have two-factor authentication.”

Two-factor authentication is a tool used for added security when it comes to important accounts. The name comes from using two factors to log into an account – your usual password and a separate factor such as a cell phone message, remote FOB, or biometic data like a fingerprint. In general, using multiple steps to log is referred to as “Multi-Factor Authentication” or MFA. With MFA enabled, even when a hacker manages to discover your password, they still can’t access your account without also having your other factor, like your phone. Deloitte didn’t use it on one administrator accounts, and as a result  the hacker merely needed to get one password in order to gain the keys to the kingdom.

Increasingly, two-factor authentication is being considered a basic security step, and we here at TechGen highly recommend all of our clients look into MFA solutions.

  • Microsoft has step-by-step instructions for setting up MFA for Office 365. You can read those here.
  • Another good password solution, LastPass, also supports MFA. Specific instructions are here.

We would be happy to help you set up MFA for your important accounts; if you are interested, please let us know.

Simple Ways to Protect Your Online Accounts and Your Business

Its clear that the Equifax breach is a big deal due to the type of information exposed.  Here are some simple things you can do to protect yourself, and protect your business at the same time.

 

Protect Your Email

Your email account is arguably your most important account.  If someone gets into your account (due to a weak password, or a password you’re reusing on multiple sites) they can then access sites you use like your bank, social media, Amazon, and others by triggering password resets (which will be sent to your email account they have control of!).  What to do:  Make sure you have a LONG password on your email account, and turn on Two-Factor Authentication if possible to prevent unauthorized access if your password is compromised.  Our team can help ensure your email accounts are protected.

 

Turn on a Fraud Alert

Each of the credit bureaus have a free process for turning on a fraud alert.  If someone tries to apply for credit in your name, the credit issuing company must verify your identity before issuing credit.  An initial fraud alert lasts 90 days and can be renewed.   I’ve found that Experian has a simple, quick way of turning on a fraud alert.  Experian is required to also notify the bureaus on your behalf to turn on fraud alerts for their files also.  Click HERE to visit the Experian fraud alert page, and scroll down to the bottom to enroll w/o the need for a credit report #.

 

Secure Your Cell Phone #

Your cell phone # (and the text messages you receive) are some of the most important “keys” to your digital life.  If a hacker takes over your cellular #, that means any security verification messages will go to the hacker, making account takeovers sipmle.  Inc.com has a great article that talks about this.  What to do:  Contact your cellular carrier and request they put a Security PIN on your account that must be used before making any account changes. (Including assigning your phone # to another phone)

 

Use a Password Management Tool

You’ve got to stop re-using the same password everywhere.  The only way to do that is to start using a password management tool like Lastpass.com to securely keep track of them for you.  We help our clients implement Lastpass on an individual basis, and company-wide.

 

If you ever have questions on any of these topics, please feel free to email support@techgen.com, or call us at 612-279-2400.

We’re proud to announce we’re now ISO 27001:2013 certified!

Using LastPass

Everyone should use a password manager like LastPass, 1Password or Roboform to ensure they’re using separate, complicated passwords on each website visited. This article will specifically show some quick tips/videos about using LastPass.

 

  • You’ll primarily use the app through Chrome/IE extension.  Here’s a video on how to use it.
  • Creating secure passwords is easy.  You’ll need to do this for NEW sites that you go to, as well as sign in to existing websites, then go through each site’s process for changing your password.  Here’s a quick video on how to create passwords.
  • The Vault is the place where all of your passwords are stored – protected by your master password.   You can organize your passwords by folder here, and share them with others.  This video shows you how to access the vault.
  • Visit the app store on your mobile phone to download the LastPass app there.

We can help your organization setup LastPass Teams, as well as train users on how to use the software, to keep their online accounts protected.

Need help?  Contact us!

 

2017 Password Security Recommendations

Everyone has heard a lot about password security, but as of June the suggested practices have changed. With the constantly evolving world of cyber threats in mind, researchers at the National Institute of Standards and Technology (NIST) have gathered a significant body of evidence about what types of passwords work and which ones don’t. A lot of the old rules we learned decades ago have been found to be very inefficient and don’t really protect us as much as we thought. The new recommendations are summarized below:

  • All passwords should be at least 8 characters long, but significantly longer when possible. Passwords under 8 characters are simply too easy to crack with modern computers. Research has determined that the length of the password is the most important factor in making it secure.
  • Using special characters (!@#$) is no longer suggested when making passwords. These are just going to make your password hard to remember. It’s much safer to just make your password easy to remember, but very long – such as a series of random words. Note that using one word, no matter how long is never secure, you should use multiple.
  • Don’t use repetitive or sequential characters in a password. That means 1234abcd, qwertyui, and aaaaaaaa are all very insecure passwords. Hackers figured out all of the patterns years ago, and can crack your password easily if you use them.
  • Don’t use your username, or the name of the website as part of your password. Even though this adds length and complexity, it is very easy to guess.
  • Don’t use “hints” or other tools to make it easier to get your password. If you use these, a hacker just needs to figure out your mother’s maiden name or other simple facts about you in order to access your accounts. If you use password hints, they don’t need to guess your password at all.
  • Don’t change your password too frequently. While it is still good practice to change your password if you click on a suspicious link, if you got infected with malware, or your password was hacked in the past; arbitrarily changing your password every X number of days is just going to increase the likelihood you select insecure passwords or passwords that are very similar, and thus are no more secure.

And finally:

  • You should use a password manager. Writing down your password is still not considered a good practice because people can easily find your sticky notes with passwords on them. Password managers like LastPass will hold all of your passwords in a secure database, which means they can’t be seen by others or copied. Then you can make long, complex passwords and you won’t have to memorize them. The only password you need to know is the super-strong password for LastPass. We’ve used LastPass here at TechGen for a long time, and are reaching out to clients recommending that they use it too. We will be very happy to help you set up. The time savings and added security are absolutely worth it. Please contact us if you are interested for pricing/features/etc.