How to Make an Authentication Cocktail

Authentication Cocktail

Who doesn’t enjoy a good cocktail?

James Bond liked his “shaken, not stirred” and most like them “on the rocks.” All this talk of cocktails is making me thirsty! However, today we are not here to talk about drinking a delicious drink; we are here to talk about an authentication cocktail.

What is an “authentication cocktail?”

An authentication cocktail is the pairing of two separate two-factor authentication (2FA) one-time password (OTP) delivery methods to make a full-bodied authentication combination that works in tandem to achieve the level of security needed to accommodate all end users and maintain your corporate security policy.

An authentication cocktail can be made either shaken or stirred depending on your needs.

 

RECIPE

Ingredients:

Makes 1 flexible solution

 

-Flexible authentication extension

-Registered users on Active Directory (AD)

-One current authentication solution (example RSA SecurID token)

-One new authentication solution (example YubiKey token)

-Select user groups


DIRECTIONS

Shaken:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that you can introduce to the easier plug and play USB YubiKey token.

Step 3. Prepare the users for the new integration by informing them of the change and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA token expires.

Step 4. Remove the expired tokens off your current authentication solution with in your AD, the RSA SecurID hard token and save LOTS of money.

 

Crossroads Banner 

Stirred:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that use their smart phone.

Step 3. Prepare the users for the new integration by informing them to install the Google Authenticator and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA license expires.

Step 4. Remove the expired RSA users off your current authentication solution with in your AD and save LOTS of money.

 

Solution Example History:

RSA SecurID Token: SecurID is RSA’s flagship authentication solution and has been a staple in many companies’ stronger authentication tool box for many years. However, this 2FA solution is also know to carry a hefty price tag and a set expiration date requiring a new token to be purchased at an established time.

YubiKey Token by Yubico: This modern solution is a USB token that provides stronger authentication and a one-time password at the push of a button. This token is much more affordable and does not carry an expiration date, so there is no need to replace the unit after a set amount of time.

Who is enjoying an authentication cocktail?

It is not uncommon for a company to run two separate authentication solutions in tandem for a number of possible reasons.

Accommodate select user’s needs: Employees that either work remotely or are constantly on the road can require a different type of stronger authentication to accommodate their needs.

Security clearance levels: Not everyone in an organization has access to or needs access to classified information, so why should they all use the OTP delivery method?

Transition from one 2FA solution to another: At times there are restrictions that either make a complete switch over impossible or just not plausible.

When any of these situations presents itself, an authentication cocktail is just what the doctor ordered and could be the answer you need.

Where to find the best authentication cocktail?

Unlike a good martini at a lounge, the best place to find one is in your own environment. The key is to finding the right main ingredient, a solution that can be that bridge, allow for different solutions to be working in tandem, and save you money in the process. It is important to find a solution that is flexible enough and built to allow for user groups to be segmented. Many IT professionals have turned to the authentication experts at PortalGuard to successfully establish and run an “authentication cocktail.”

Google Removes Ad Scanning for Apps within Education for Good

Google Logo 2010

Recently, Google made an announcement via their blog stating they will be permanently removing any form of ad scanning for applications associated with education users. Google was quick to point out that they never intended to collect data in education based Apps, and in the past, an Admin on campus would have had to enable the ad scanning. However, even if the admin had enabled ad scan, it will no longer be enabled within their environment.

To give you a brief overview of the ad scan, it is a blind algorithm that Google uses to scan your email and usage to provide you with more targeted advertisements based on your information.

 The new Google policy is as follows:

“Google Apps for Education services do not collect or use student data for advertising purposes or create advertising profiles.

Gmail for consumers and Google Apps for Education users runs on the same infrastructure, which helps us deliver high performance, reliability and security to all of our users. However, Google Apps is a separate offering that provides additional security, administrative and archiving controls for education, business and government customers.

Like many email providers, we do scanning in Gmail to keep our customers secure and to improve their product experience. In Gmail for Google Apps for Education, this includes virus and spam protection, spell check, relevant search results and features like Priority Inbox and auto-detection of calendar events.  Scanning to provide product features is done on all incoming emails and is 100% automated. We do NOT scan Google Apps for Education emails for advertising purposes.

Additionally, we do not collect or use any information stored in Apps for Education users’ Google Drive or Docs (or Sheets, Slides, Drawings, Forms) for any advertising purposes”

Great news for business based Google Apps users too: this policy will be carried over to these Apps in the near future. Google was quick to point out that it had permanently disabled this feature on all logged in K-12 users last year.

Source: http://time.com/82705/student-pass-google-junks-gmail-ad-scanning-for-student-accounts/#

Alarmingly Low Rate of Employees Receive Security Awareness Training

exclamation point

With the state of the economy, it is not too shocking that only 43% of employees receive security awareness training. Many companies have been faced with reducing their workforce and running “leaner and meaner,” thus devoting all hours of the workday to improving the companies bottom-line. It is hard to believe that such an important element has gone the way of the Dodo bird. One would think that more time would be dedicated to security training given the recent and highly publicized security breaches at other companies.

However, the results of a recent survey by Enterprise Management Associates (EMA) show that 56% of corporate employees have not received any security awareness or policy training.

A recent article from SC Magazine explains EMA’s findings, “Security Awareness Training: It’s Not Just for Compliance, 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn’t effective.”

According to the report, the average cost of providing security training is only $50. This seems like a small price, but multiply that by a few hundred users and you start to see why this simple exercise in protecting their company may be overlooked. Yet, providing the staff with proper training could result in saving the organization from the far greater expense of a data breach.

“35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices.” White goes on, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”

While under-education of the population at large can seem startling, a best practice for increasing security within any environment is to have a strong password policy that includes specific password expiration increments. In order to deploy such a password policy, the company must first roll out a self-service password reset program. Many companies turn to the authentication experts at PortalGuard for their self-service password reset needs and other authentication solutions.

How to Mend a Broken Heart: The Heartbleed Bug and what you need to know to protect yourself

broken heart

 

The news broke this week that the Heartbleed Bug had attacked an undetermined amount of websites and their users worldwide. At this time it would seem that a large number of people are affected, however, the magnitude of this Bug may not be made clear for some time. Last year, the Adobe breach  numbers grew drastically as time moved forward.

So what is the Heartbleed Bug?

The researchers who uncovered the problem describe the Bug as a serious flaw within OpenSSL.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

Currently affected sites:

Some of the popular websites that have been listed as vulnerable include the following:

-Yahoo.com

-Imgur.com

-Flickr.com

-Okcupid.com

Click here for a full list.

How you can protect yourself.

There a couple of different steps you can take to proactively protect yourself. The first step would be to change your passwords on all of the effected sites that are listed above. It would also be good practice to change all of your passwords in general, just to play it safe. The other, more drastic option would be to avoid using the identified sites entirely. However, this may not be a possible option if you are an active member of the sites affected.

Although many websites do not require password resets to occur on a regular basis, the authentication experts at PortalGuard highly recommend changing your password every 90 days. If you take this simple action, it can possibly save you from a lot of frustration and heartache.

Two More Colleges Exposed: Indiana University and North Dakota University

collegeThere seems to be a rise lately in the number of campuses that are being subject to data breaches. Today it was brought to light that North Dakota University’s database was compromised exposing around 300K current and former student’s information along with some of their staff as well. Last week, Indiana University informed nearly 146,000 recent graduates and students that their seven-campus data system had accidentally exposed.

This news comes on the heels of the recent University of Maryland breach that effected over 300,000 students, staff, and faculty.

Indiana University

In the case of the Indiana University breach, the accidental exposure to the general public was carried out via three automated search engine web crawlers and was apparently indexed three times over the past year.

The exposed information included all of the needed information to steal a person’s identity easily, including names, addresses, and social security numbers.  This data was all being contained in an unsecure location that was easily accessed by the data-mining applications.

The three web crawlers have not been identified at the time of this article, but the University noted that the actions were carried out in a non-malicious way, by regular search engine web crawlers. The good news to report is, no servers or systems were compromised during this data mining.

Education Link Banner

James Kennedy, the school’s Associate Vice President of Student Services and Systems said; “This is not a case of a targeted attempt to obtain data for illegal purposes, and we believe the chance of sensitive data falling into the wrong hands as a result of this situation is remote…”

“At the same time, we have moved quickly to secure the data and are conducting a thorough investigation into our information handling process to ensure that this doesn’t happen again.”

North Dakota University

North Dakota University came forth with news that nearly 300K current students, former students, and faculty may be at risk due to a recent hacking. The effected student’s and faculty’s personal information, including names and social security numbers, were exposed during the breach.

North Dakota University came forth with a notification for all that were possibly impacted on their website this past Wednesday. Their IT service provider, Core Technology Services, had been tipped off about the intrusion on February 7, with the initial intrusion taking place back in October of 2013. It would appear that the attack was made by using compromised credentials that had been obtained by an unauthorized user. Once this discovery was made they immediately shut down the affected server.

The tipster in this case was actually a victim of identity fraud rooting back to the breach.

What is this world coming to?

Back twenty years ago, data breaches did happen; people would steal files from offices or files would mysteriously go missing. Fast forward to current day; with so much of our personal information being held on networks, it is now easier for thieves to steal your personal data without even being on the same continent.

This is why it is now more important than ever to make sure that you are doing everything to protect your network from an attack.

One of the best ways to defend your campus against these types of attacks is to deploy a two-factor authentication solution. This would prevent a user’s credentials from being stolen because there would be a required one-time password needed in order to access the account. This one-time password could be provided a number of secure ways including sending a text-message to a preregistered cell phone.

Many colleges and universities trust their sensitive information to be protected via a web portal that can only be accessed by authorized users. These entry points need to be protected by strong authentication, which more and more campuses are trusting to the authentication experts at PortalGuard.

Sources:

http://www.scmagazine.com/north-dakota-university-system-hacked-roughly-300k-impacted/article/337181/?DCMP=EMC-SCUS_Newswire&spMailingID=8110983&spUserID=Nzc0OTgzMDQ3NzMS1&spJobID=260600201&spReportId=MjYwNjAwMjAxS0

http://www.scmagazine.com/web-crawlers-tap-data-put-about-146k-indiana-univ-students-at-risk/article/336198/

Price vs Cost: One Man's Opinion

Dollar_symbol

With the economic state of the country, you always hear folks talking about the price of an item or how much it cost them. Being in the security industry and a home owner, I can identify with the struggles that come with sticking to a budget and finding a solution.

However, with security it can truly be a gamble that all too often plays out in a negative way. One comparison we threw around a lot here in the office is a home security system. You constantly see on the news or hear from others stories about homes being robbed and the uneasy feeling of violation that comes with it. It makes you think about yourself, your home, and that could happen to me!

But then your subconscious says those famous last words, “It can’t happen to me.”

Sadly, this is the approach a lot of businesses can take on the stance of cyber security too. Recently, we have all seen the public spectacle that comes with being hacked and the consequences associated with cutting corners on security. In a couple of previous articles, I know that I have touched on this topic in previous articles, but we still hear of companies being breached.

This brings me to my point; when looking at a solution, sometimes we look for the cheapest fix and do not think any further than the price tag associated with the item. But let’s say you don’t even make it that far, you ignore the problem and hope it does not get worse. Then when you go to make the repair, it costs far more money than just addressing the problem from the start. To combat these types of situations, many companies that are working with a tight budget turn to the affordable authentication that PortalGuard offers.  

So when faced with the complex decision of price versus the cost, it is always best to consider the big picture and the cost or consequence of all that could happen if you are not proactive in preventing security breaches.

Data Breach on Campus: Over 300,000 Exposed at University of Maryland

UMD

This week the University of Maryland came forth with an announcement that their campus data base had been breached, exposing sensitive information for over 300,000 students and faculty.  The data breach comes on the heels of many other similar data breaches at retailers across the US including Target, Neaman Marcus, and Michaels Craft Stores.

According to a letter from University of Maryland President, Wallace D. Loh on February 19, 2014; “A specific database of records maintained by our IT Division was breached yesterday. That database contained 309,079 records of faculty, staff, students, and affiliated personnel from the College Park and Shady Grove campuses who have been issued a University ID since 1998. The records included name, Social Security number, date of birth, and University identification number. No other information was compromised — no financial, academic, health, or contact (phone, address) information.”

Education Link Banner

Although the information was limited to the aforementioned personal information, those are almost all of the key things needed to steal someone’s identity.

Kudos to the University for being so forthcoming with information, some companies would rather sit on the information until they have investigated more into the cause, which could lead to more problems for all involved. I think that other companies should take note of the steadfastness that the University has shown, notifying those whose information has been exposed and providing them with the support that they need to curb their fears. The University provided all involved with tips on what to look for with possible cases of fraud that can be connected to such data breach. However, it has yet to be seen if the University will provide the 309,079 with the standard credit monitoring service that has been seen in other recent breaches of the same caliber.

President Loh also noted, “With the assistance of experts, we are handling this matter with an abundance of caution and diligence. Appropriate state and federal law enforcement authorities are currently investigating this criminal incident. Computer forensic investigators are examining the breached files and logs to determine how our sophisticated, multi-layered security defenses were bypassed. Further, we are initiating steps to ensure there is no repeat of this breach.”

Security breaches like these cannot always be prevented, but it is important to make sure that your campus or company is properly equipped to combat these types of attacks. There are a few ways to ensure that your data is being guarded from unauthorized users, this includes incorporating a two-factor solution where the person logging in would need to verify their identity by having to input a one-time use password that would be sent to a separate device like an enrolled cell phone. Many campuses and companies turn to authentication experts like PortalGuard to provide the authentication solutions that have been independently tested and proven to enhance security.  

Source: http://www.umd.edu/datasecurity/

World’s Largest Beverage Company Compromised

 

coke cans

The importance of encrypting data has become more prevalent with recent data breeches at retail stores and social networking sites. The latest company to join the list of offenders or victims, depending on how you look at it, is Coca-Cola.

Last week the Wall Street Journal (WSJ) reported that Coca-Cola had exposed a security breech from within their own company, compromising the personal information of about 74,000 North American employees and contractors.

The breech was due to a few laptops being stolen by a former employee that had been assigned to the task of maintaining and disposing of company equipment. Coke reported that it is company policy for all equipment to prevent information from being exposed, however, the stolen laptops were not yet encrypted so the information was easily accessible.

“Coke said the laptops were later retrieved, and it has ‘no indication’ the personal information had been misused. It didn’t say how it learned of the theft or how the computers were recovered.” Reported the WSJ.

18,000 of the effected employees are being sent letters to notifying them that their personal information which included Social Security numbers, addresses, and license numbers have been compromised. Coke has offered to cover identity-theft services to all parties involved at no charge.

The breech was initially discovered on December 10, 2013, but was not shared with the effected parties until Friday January 24, 2014 leaving some employees feeling uneasy. Coke identified the reason for the delay in notifying the employees as needing time to go through the recovered laptops and identifying all of those involved.

Coke explained the process in a memo to employees: “To expedite the process, we brought in extra crews that worked long hours, including throughout the holiday period and on weekends, to sort through the data.”

Even though the hardware was physically stolen, if the information was properly protected this breech could have been easily been prevented. When a computer or network contains personal data, there should always be a barrier to protect the information. This will ensure that the information can only be viewed by authorized users. For this reason, many companies turn to authorization software, like PortalGuard, to make sure that only authorized users are viewing the information.

Source:

http://online.wsj.com/news/articles/SB10001424052702304632204579341022959922200?mod=WSJ_hp_LEFTWhatsNewsCollection

Hacking Your Way to Love

OK Cupid Couple

In this blog, we certainly do not condone hacking in any manner. However, this morning there was a hacking love story that popped up in my newsfeed regarding OK Cupid, a hacking of a different kind on an online dating website.  Using mathematics, Chris McKinlay cracked OK Cupid’s algorithm for selecting a mate.

The way that OK Cupid works its magic is by asking specific questions with different levels of importance on each topic.  The questions asked by OK Cupid can range from, if the person has a dog, wants kids, or what they like to do in their leisure time. McKinlay, like many people, was searching for that perfect companion to share the rest of his life with. However, he noticed that there were only about 100 matches that were found in the greater Los Angeles area and thought that this did not seem accurate.

In June of 2012, Mckinlay was working on his mathematics thesis and wondered if he could use math to get more matches on OK Cupid.

“I started thinking about it when I was in dissertation mode, so I was applying grad student mentality to everything back then,” McKinlay said.

Using the math and programing skills he already knew, he built a bot to troll the website and do some research to find out certain answers that related to women within a demographic. He then focused on a couple of questions that he thought would help him find his perfect match.

By applying his theory, the website turned up a staggering number of women that were a good match. This lead to 88 dates over three months until he met Christine Wang; they immediately clicked leading to an engagement after one year.

Good Morning America interviewed Christian Rudder, co-founder and president of OkCupid, and he thought McKinlay’s approach was “pretty cool… In general, whatever people need to do to make OkCupid work for them, we support. The point is to help people find dates — that’s our only goal. We’re totally happy for people to ‘hack’ us. As long as no one is being treated with disrespect or being tricked, which it doesn’t sound like he was doing, then we’re game for it.”

Source:

http://gma.yahoo.com/blogs/abc-blogs/genius-okcupid-hack-led-true-love-212911321–abc-news-topstories.html


Identifying Authentication Challenges in Education: A look within our clients

Apple on keyboard

Recently, while looking through our customer base, we noticed a very interesting trend within our post-secondary education clients. Once we recognized this trend, we wanted to take a moment and identify this top issue and look at some of the reasons why this could be so?

We identified that the most common hurdle that our clients are facing within the education industry is account lockouts, a.k.a. self-service password reset (SSPR).

When looking at the grand scheme of things, this is not really a surprise.  Schools have a large number of users that are vastly made up of students that have many things on their minds; surely, they will lock themselves out of their account at one point. Add to the mix of faculty and staff, some of which may be adjunct or part-time employees of the college or university, and you have quite the cocktail of end-users. One more piece to add to this puzzle is new students, both freshmen and transfer students that are trying to remember all of the before mentioned things and learn a new campus.

Education Link Banner

When looking at this breakdown of some of the list of possibilities above, the picture becomes a little clearer of why SSPR would be top of the charts. Without a SSPR solution set in place, this could mean an influx of Help Desk calls to unlock the students and faculty’s accounts. This would bog down the phone lines and prevent other, more important tech issues from being solved.

Also, think about it from a cost perspective.

At the start of any semester, there would be a large number of calls placed to the Help Desk to assist in unlocking the accounts. For the school, that means that there may be a need to have extra staff on hand to cover these simple calls. But adding extra staff is not as simple as it sounds: the extra staff costs the college wages, extra training, and the cost of extra equipment needed for them to do their jobs. All of those extras can add up in a hurry!

At the end of the day, PortalGuard understands this is a pain point for the education industry and has provided affordable solutions to help reduce Help Desk calls and also provide strong authentication security on the backend.