Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

Read More

How to Make an Authentication Cocktail

Authentication Cocktail

Who doesn’t enjoy a good cocktail?

James Bond liked his “shaken, not stirred” and most like them “on the rocks.” All this talk of cocktails is making me thirsty! However, today we are not here to talk about drinking a delicious drink; we are here to talk about an authentication cocktail.

What is an “authentication cocktail?”

An authentication cocktail is the pairing of two separate two-factor authentication (2FA) one-time password (OTP) delivery methods to make a full-bodied authentication combination that works in tandem to achieve the level of security needed to accommodate all end users and maintain your corporate security policy.

An authentication cocktail can be made either shaken or stirred depending on your needs.

 

RECIPE

Ingredients:

Makes 1 flexible solution

 

-Flexible authentication extension

-Registered users on Active Directory (AD)

-One current authentication solution (example RSA SecurID token)

-One new authentication solution (example YubiKey token)

-Select user groups


DIRECTIONS

Shaken:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that you can introduce to the easier plug and play USB YubiKey token.

Step 3. Prepare the users for the new integration by informing them of the change and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA token expires.

Step 4. Remove the expired tokens off your current authentication solution with in your AD, the RSA SecurID hard token and save LOTS of money.

 

Crossroads Banner 

Stirred:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that use their smart phone.

Step 3. Prepare the users for the new integration by informing them to install the Google Authenticator and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA license expires.

Step 4. Remove the expired RSA users off your current authentication solution with in your AD and save LOTS of money.

 

Solution Example History:

RSA SecurID Token: SecurID is RSA’s flagship authentication solution and has been a staple in many companies’ stronger authentication tool box for many years. However, this 2FA solution is also know to carry a hefty price tag and a set expiration date requiring a new token to be purchased at an established time.

YubiKey Token by Yubico: This modern solution is a USB token that provides stronger authentication and a one-time password at the push of a button. This token is much more affordable and does not carry an expiration date, so there is no need to replace the unit after a set amount of time.

Who is enjoying an authentication cocktail?

It is not uncommon for a company to run two separate authentication solutions in tandem for a number of possible reasons.

Accommodate select user’s needs: Employees that either work remotely or are constantly on the road can require a different type of stronger authentication to accommodate their needs.

Security clearance levels: Not everyone in an organization has access to or needs access to classified information, so why should they all use the OTP delivery method?

Transition from one 2FA solution to another: At times there are restrictions that either make a complete switch over impossible or just not plausible.

When any of these situations presents itself, an authentication cocktail is just what the doctor ordered and could be the answer you need.

Where to find the best authentication cocktail?

Unlike a good martini at a lounge, the best place to find one is in your own environment. The key is to finding the right main ingredient, a solution that can be that bridge, allow for different solutions to be working in tandem, and save you money in the process. It is important to find a solution that is flexible enough and built to allow for user groups to be segmented. Many IT professionals have turned to the authentication experts at PortalGuard to successfully establish and run an “authentication cocktail.”

Read More

Breach Fatigue: Don’t Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

Read More

Breach Fatigue: Don't Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

Read More

UPS Hacked!

UPS hacked!

“It was the best of times, it was the worst of times.”

 

This famous quote from Charles Dickens’ classic novel, A Tale of Two Cities, gives insight into how two forces, like good and evil, are equal rivals contending for survival. The same goes for the world of cyber security. We have a world of information, convenience, and entertainment at our fingertips, and yet, in that world, there are dangers and possibilities to have valuable information stolen.

 

In Alex Roger’s time.com article, “UPS: We’ve Been Hacked,” Roger’s reports on the newest breach within The UPS. “The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.” Rogers continues, “The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26.” Even though the breach was wide ranging, UPS assured that on August 11 the threat  was resolved.

 

UPS issued a public statement, “The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident.” UPS went on to say that it is safe to shop at all of the UPS branches.

 

As fiction continually tells us in pros and verse, good and evil will always be at odds with each other, just as Dickens foreshadows in A Tale of Two Cities. So what can we do about it? Well, our job is twofold. We need to be sure to follow the Password Best Practices (PBP) and petition applications and companies that we use on a daily bases to start supporting Two-factor.

 

Password Best Practices

 

Password Best Practice (PBP) is the easiest way to accomplish login security to your applications and portals to access private information. PBP gives practical advice on how to strengthen your password, how often to change your password, what not to do with your password, and much more. By enforcing and educating users on PBP, you are on your way to achieving stronger passwords and making logins more secure. PennState has done a great job outlining the Password Best Practices on their site. The article is a great resource and reminder of what we should be doing with our passwords.

 

What you can do to about Two-factor Authentication

 

You may ask yourself what you can do to ensure that private and person information is protected with two-factor. There are two things that one can do. First, if you have the sway and influence, there are identity management providers that provide usable two-factor, protecting against network attacks. Secondly, if you are only a user and have no influence in the IT Department, there is a great site that contains a Two-factor Authentication list. From this list you can send a direct request to those that are not currently supporting Two-factor Authentication. The list is a great way to see if your favorite applications and websites are doing their part in protecting your personal information from network attacks worldwide.

 

Even though we seem to be living in a constant state of “the best of times, it was the worst of times,” we can do our best to fight against the evil of stolen identities and by educating ourselves on Password Best Practices and petitioning companies to support Two-factor Authentication.

Read More

The IT Professional vs. The Deadly Data Breach

IT Professional vs. Deadly Data Breach

 

The Deadly Data Breach

We know it well, the Deadly Data Breach! So many people have felt the effects of a data breach, and so many companies are scrambling to protect the personal information they have on file. I am sure data breaches are on the minds of every IT professional that has kept up with the most recent breaches. No one goes unscathed by The Deadly Breach: P.F. Changs, Goodwill, Home Depot, and numerous schools.

Home Depot’s recent data breach reaches all the way back to April first of this year. According to Steven Weisman’s blog article, “Important Home Depot Update,” Weisman reports that “along with the credit card numbers and debit card numbers, the hackers also are selling the state and zip code for the particular cards.  This enables the hackers to defeat some fraud detection programs that pick up charges made from areas far from the home of the card holder.” This just covers up and prolongs agencies from discovering a security breach sooner. The Deadly Data Breaches just keep getting more deadly!

 

The Cost of The Deadly Data Breach

The cost of the deadly data breach doesn’t stop at the yearly budget meeting. There are many different costs when a breach strikes: the cost of private information, the cost of an organization’s reputation, and the actual monetary cost. Target’s data breach cost them $148 million dollars so far, and having more stores than Target, Home Depot will most likely exceed that number. At this moment in time, I do not envy the IT Professional and truly feel for them; thankfully, there are some great resources for IT Professionals. For example, Liisa Thomas’s book, Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide, is a great resource for the IT Professional contending with The Deadly Data Breach.

 

What Can Anyone Do?

There are many things that both the IT Professionals and the end users may do to proactively protect themselves from having their identity stolen. In reference to the Home Depot breach, Weisman gives practical tips on protecting yourself from identity theft. Weisman’s blog Scamicide is a great resource on daily technical news and practical tips to protect against hacktivists.

 

  • Password Best Practices: These are a great place for the IT Professional to start in their fight against the Deadly Data Breach. Password Best Practices are common sense protocols for passwords and a great place to start creating a healthy password environment for your organization. PennState has a great article on Password Best Practices that I found very helpful.

 

  • Speak Up: For the end user, there is a great website that was featured in the NYTimes that has a list of applications supporting two-factor authentication. The end user is also able to send a request to their favorite website/application requesting that they support two-factor.

 

 

We are in an age where logins are a part of life and the gateway to private and confidential data. As the tsunami of data breaches continues to destroy and damage the cyber world, it is time to look towards stronger authentication to reduce the impact on organizations worldwide.

 

 

http://scamicide.com/2014/09/11/scam-of-the-day-september-11-2014-important-home-depot-update/

Read More

You Have a Case of Identity Theft!

Identity Theft

It’s the hot topic in the news, blogs, books, and more, identity theft and security! We are all susceptible to identity theft from the individual user to the largest corporation.

 

Author Steve Weisman has been speaking on Identity Security for years, including his blog Scamicide and in his books The Truth About Avoiding Scams and Identity Theft Alert: 10 Rules You Must Follow. The most recent breach, the Community Heath System, is one that Weisman covers in his blog entry Community Health Systems and the Chinese hacker. By now we all know the characters in the story, hacker wants sensitive data, companies have budgets and time restraints, and users want usability. In his blog post, “Community Health Systems Data Breach Update”, Weisman wisely states, “It has been said that the price of liberty is eternal vigilance and that is also important in maintaining your own personal security.  People who did not change their passwords following the Heartbleed security flaw first being uncovered should take this as a wake up call to do so now.” I concur!

 

(read on to learn how you can make a difference)

 

Weisman goes on to give some great examples on how to protect credit and to watch for fraud. But we all know that that is not where the story ends. Weisman states the grim truth that “it is not unusual for hackings and data breaches to remain undiscovered for significant periods of time.  This data breach may be the first major data breach connected to Community Health Systems, but it is most likely not going to be the last.” Sadly, he is most likely correct.

 

Organizations and companies need to transition to stronger authentication; one way they can do this is with a usable authentication solution. Why usable? Well, let’s not forget one of the main characters in this story, the user. Users want usability when it comes to identity security and logging into their accounts, and there are many solutions that are rising to the occasion to provide both security and usability to organizations. PortalGuard is one solution that brings usable Two-factor Authentication to the table with printable OTPs, SMS, and PassiveKey.

 

So there is no doubt that security needs to be increased and usability cannot be forgotten, but what can you do as an individual to increase authentication security within the organizations that you use on a daily bases? Well, I am glad you asked. I just happen to have the perfect site that was promoted on newyorktimes.com in Ron Lieber’s article A Two-step Plan to Stop Hackers.  Twofactorauth.org allows you to send a tweet requesting that organizations and apps that are housing your personal information support two-factor. (you may now cheer and applaud) Find out if your favorite app is using Two-factor or take it into your own hands to tell them to support Two-factor.

 

Weisman ends his blog post reminding us that “you are only as safe as the places that hold your personal information and some of them have poor security.” How true that is, and how slow many are at implementing the necessary steps to secure our personal and private data. In conclusion, you have really two choices as a user.

 

Cut out all technology from your life and keep your savings under your mattress

OR

Make smart identity choices and request that those that are housing your personal information implement a usable, two-factor solution.

Read More

More Compromised Students and Faculty

butlerlogoblue

Recently, there was yet another security breach at a college campus. This time the victim was Butler University, where a hacker accessed over 160,000 records for current, past students and faculty. The information stolen was the typical pertinent information that is stolen in this type of breach.

Names, Social Security numbers, date of birth, and bank account information.

The announcement of this breach comes due to an identity theft investigation that came from California law enforcement. The perpetrator that was caught possessed a flash drive that contained all of the data stolen from Butler University. Through the work of a third party investigator, it was uncovered that the information was stolen by remote hackers who accessed the Universities network between November 2013 and May 2014.

When will all of this craziness stop and people take security seriously?

I find it interesting that there is not more of an outcry from the general public to make sure that organizations are protecting their information. It used to be that colleges and universities were less likely to get attacked, since students typically do not have any credit in general. However, this year we have seen two other colleges in the spring and a high school earlier this summer.

There are schools, like Dalton State College and Clermont Northeastern School District, that have taken a serious look at this problem and addressed it by partnering with PortalGuard to deploy a two-factor authentication solution. By adding a two-factor authentication solution to their environment, they are able to ensure that the end-user is who they claim to be and not an imposter or hacker. This type of authentication can also deter man-in-the-middle attacks as well.

 

Read More

Violated Database: Montana Department of Public Health and Human Services

Creeper

Your car has been broken into, yet nothing was stolen. Nothing was stolen, so no big deal, right? WRONG! You would still feel violated, creeped out, and concerned about it happening again. The Montana Health Department has experienced a similar data breach.

 

On May 15th, Montana’s Department of Public Health and Human Services (DPHHS) officials noticed out of the ordinary activity. After further investigation, DPHHS confirmed that a server had been breached by hackers, and according to Alison Diana’s article Montana Health Department Hacked,“1.3 million people of the incident” are being notified of the breach and ensured that their information will be protected. Diana continues by stating, “there is no evidence this information was used inappropriately – or even accessed.”

 

At the moment, DPHHS is ensuring that a stronger security solution will be put in place to prevent such attacks from happening again, and extra measures are being taken to ensure that all citizen information is not compromised. There is a help line that DPHHS has on their website with information for potentially affected patients.

 

Diana continues in her article on the increase in attacks on healthcare databases, “many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry’s rich stash of personal data — including Social Security numbers, credit card information, and addresses — and personal health information.” With all this private information being housed within a healthcare database, it is imperative that a stronger authentication solution be put in place, along with educating employees on Password Best Practices (PBP). Many IT professionals are turning to PortalGuard for Healthcare for stronger security and increased usability for their corporation.

 

 

http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/1278872

Read More