Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

How to Make an Authentication Cocktail

Authentication Cocktail

Who doesn’t enjoy a good cocktail?

James Bond liked his “shaken, not stirred” and most like them “on the rocks.” All this talk of cocktails is making me thirsty! However, today we are not here to talk about drinking a delicious drink; we are here to talk about an authentication cocktail.

What is an “authentication cocktail?”

An authentication cocktail is the pairing of two separate two-factor authentication (2FA) one-time password (OTP) delivery methods to make a full-bodied authentication combination that works in tandem to achieve the level of security needed to accommodate all end users and maintain your corporate security policy.

An authentication cocktail can be made either shaken or stirred depending on your needs.

 

RECIPE

Ingredients:

Makes 1 flexible solution

 

-Flexible authentication extension

-Registered users on Active Directory (AD)

-One current authentication solution (example RSA SecurID token)

-One new authentication solution (example YubiKey token)

-Select user groups


DIRECTIONS

Shaken:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that you can introduce to the easier plug and play USB YubiKey token.

Step 3. Prepare the users for the new integration by informing them of the change and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA token expires.

Step 4. Remove the expired tokens off your current authentication solution with in your AD, the RSA SecurID hard token and save LOTS of money.

 

Crossroads Banner 

Stirred:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that use their smart phone.

Step 3. Prepare the users for the new integration by informing them to install the Google Authenticator and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA license expires.

Step 4. Remove the expired RSA users off your current authentication solution with in your AD and save LOTS of money.

 

Solution Example History:

RSA SecurID Token: SecurID is RSA’s flagship authentication solution and has been a staple in many companies’ stronger authentication tool box for many years. However, this 2FA solution is also know to carry a hefty price tag and a set expiration date requiring a new token to be purchased at an established time.

YubiKey Token by Yubico: This modern solution is a USB token that provides stronger authentication and a one-time password at the push of a button. This token is much more affordable and does not carry an expiration date, so there is no need to replace the unit after a set amount of time.

Who is enjoying an authentication cocktail?

It is not uncommon for a company to run two separate authentication solutions in tandem for a number of possible reasons.

Accommodate select user’s needs: Employees that either work remotely or are constantly on the road can require a different type of stronger authentication to accommodate their needs.

Security clearance levels: Not everyone in an organization has access to or needs access to classified information, so why should they all use the OTP delivery method?

Transition from one 2FA solution to another: At times there are restrictions that either make a complete switch over impossible or just not plausible.

When any of these situations presents itself, an authentication cocktail is just what the doctor ordered and could be the answer you need.

Where to find the best authentication cocktail?

Unlike a good martini at a lounge, the best place to find one is in your own environment. The key is to finding the right main ingredient, a solution that can be that bridge, allow for different solutions to be working in tandem, and save you money in the process. It is important to find a solution that is flexible enough and built to allow for user groups to be segmented. Many IT professionals have turned to the authentication experts at PortalGuard to successfully establish and run an “authentication cocktail.”

Violated Database: Montana Department of Public Health and Human Services

Creeper

Your car has been broken into, yet nothing was stolen. Nothing was stolen, so no big deal, right? WRONG! You would still feel violated, creeped out, and concerned about it happening again. The Montana Health Department has experienced a similar data breach.

 

On May 15th, Montana’s Department of Public Health and Human Services (DPHHS) officials noticed out of the ordinary activity. After further investigation, DPHHS confirmed that a server had been breached by hackers, and according to Alison Diana’s article Montana Health Department Hacked,“1.3 million people of the incident” are being notified of the breach and ensured that their information will be protected. Diana continues by stating, “there is no evidence this information was used inappropriately – or even accessed.”

 

At the moment, DPHHS is ensuring that a stronger security solution will be put in place to prevent such attacks from happening again, and extra measures are being taken to ensure that all citizen information is not compromised. There is a help line that DPHHS has on their website with information for potentially affected patients.

 

Diana continues in her article on the increase in attacks on healthcare databases, “many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry’s rich stash of personal data — including Social Security numbers, credit card information, and addresses — and personal health information.” With all this private information being housed within a healthcare database, it is imperative that a stronger authentication solution be put in place, along with educating employees on Password Best Practices (PBP). Many IT professionals are turning to PortalGuard for Healthcare for stronger security and increased usability for their corporation.

 

 

http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/1278872

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365

 

vide_snap

BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:

 

-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication

 

With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”

 

Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.

 

PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!

Toothbrush

 

Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!

 

Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.

 

Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!

 

With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.

 

In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!

 

So go ahead! Invest . . . the Llamas won’t mind.

 

 

 

Source:

http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/2/

Alarmingly Low Rate of Employees Receive Security Awareness Training

exclamation point

With the state of the economy, it is not too shocking that only 43% of employees receive security awareness training. Many companies have been faced with reducing their workforce and running “leaner and meaner,” thus devoting all hours of the workday to improving the companies bottom-line. It is hard to believe that such an important element has gone the way of the Dodo bird. One would think that more time would be dedicated to security training given the recent and highly publicized security breaches at other companies.

However, the results of a recent survey by Enterprise Management Associates (EMA) show that 56% of corporate employees have not received any security awareness or policy training.

A recent article from SC Magazine explains EMA’s findings, “Security Awareness Training: It’s Not Just for Compliance, 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn’t effective.”

According to the report, the average cost of providing security training is only $50. This seems like a small price, but multiply that by a few hundred users and you start to see why this simple exercise in protecting their company may be overlooked. Yet, providing the staff with proper training could result in saving the organization from the far greater expense of a data breach.

“35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices.” White goes on, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”

While under-education of the population at large can seem startling, a best practice for increasing security within any environment is to have a strong password policy that includes specific password expiration increments. In order to deploy such a password policy, the company must first roll out a self-service password reset program. Many companies turn to the authentication experts at PortalGuard for their self-service password reset needs and other authentication solutions.

Price vs Cost: One Man's Opinion

Dollar_symbol

With the economic state of the country, you always hear folks talking about the price of an item or how much it cost them. Being in the security industry and a home owner, I can identify with the struggles that come with sticking to a budget and finding a solution.

However, with security it can truly be a gamble that all too often plays out in a negative way. One comparison we threw around a lot here in the office is a home security system. You constantly see on the news or hear from others stories about homes being robbed and the uneasy feeling of violation that comes with it. It makes you think about yourself, your home, and that could happen to me!

But then your subconscious says those famous last words, “It can’t happen to me.”

Sadly, this is the approach a lot of businesses can take on the stance of cyber security too. Recently, we have all seen the public spectacle that comes with being hacked and the consequences associated with cutting corners on security. In a couple of previous articles, I know that I have touched on this topic in previous articles, but we still hear of companies being breached.

This brings me to my point; when looking at a solution, sometimes we look for the cheapest fix and do not think any further than the price tag associated with the item. But let’s say you don’t even make it that far, you ignore the problem and hope it does not get worse. Then when you go to make the repair, it costs far more money than just addressing the problem from the start. To combat these types of situations, many companies that are working with a tight budget turn to the affordable authentication that PortalGuard offers.  

So when faced with the complex decision of price versus the cost, it is always best to consider the big picture and the cost or consequence of all that could happen if you are not proactive in preventing security breaches.

When Will We Learn? An observation about security

Dan_Ariely_speaking_at_TED_in_2009

A friend sent me a great TED Talk video this morning, “Are we in control of our own decision?” by Dan Ariely, behavioral economist and author of the book Predictably Irrational.  This video was excellent, well worth a watch and opened my eyes helping me understand some social behaviors.  Personally, I love to consider different perspectives and think outside of the box, whether this makes me genius or crazy has yet to be determined…

The video discusses many examples and makes different comparisons to prove his point on how the actions of people are “predictably irrational”, this made me think about authentication and security naturally.  When looking at recent security breaches in the media, the problems do not seem like new issues, just a recycled story of how information was compromised due to a lack in security.  It would seem that when it is a hot topic in the media many people talk about the issue, but few take action to protect themselves which leads to more security breaches down the line.

After watching this video it became apparent why this may happen.  Dan explains that when a person is faced with a problem and there are many or complex options they are less likely to act.  This could explain why security issues are continuous and abundant.  There are so many options out there which can overwhelm the general public and organizations alike.  If the public or corporation is unsure which angle to cover or how to best protect their information, they are very likely just fold their arms, do nothing and hope for the best.

Dan also spoke about the need to seeing something to believe it, for instance making it tangible.  When security is approached this way it makes more sense, when it comes to protecting a physical asset it is a lot easier to comprehend the risk because it is a tangible object.  People take out insurance policies on their homes, cars and even their lives because it is easier to picture your life with or without their presence.

However, when it comes to the security of identity theft through a security breach it is harder to envision the impact, which results in less people taking it as serious as they should until it is too late and the information is compromised.

All-in-all, this helped me understand a little more why history seems to repeat itself so often.  However, it raised a question in my head… Why do we not learn from others mistakes when it comes to security?

Sources:

http://www.ted.com/talks/dan_ariely_asks_are_we_in_control_of_our_own_decisions.html

http://danariely.com/about-dan/

Password Choice Hitting Close to Home

In a previous post, this blogger shared a family story of our daughter having her Facebook account compromised by another local student.  Well, the family has experienced this phenomenon again and I will share it with you today.

I would hope by now that we have all heard about Netflix and how popular it has become.  Even my own Mother is fond of Netflix and shares her account with the family so we can all watch movies instantly, especially the Grandchildren.  For those of you not familiar with Netflix’s watch instantly program, let me explain… user’s are able to login to the Netflix website with their credentials (all the grandkids use Gramma’s credentials) and choose from a large variety of older movies that aren’t in today’s mainstream of movie interest.  Choose a meeting and instantly start watching it on your computer.

Yesterday I received a phone call on my cell phone while at work.  Gramma usually doesn’t bother me during work hours, so I expected it to be important.  She had been reviewing the “watched instantly” movies and saw quite a bit of increased activity.  Not only had the activity bumped up a notch, but the titles of the features were not movies that she would approve of her Grandkids watching.  You can imagine the concern coming from the other end of the conversation.

Now, Grandmother is not hip to all of the security protocols these days for choosing a password, etc. and in fact had set her password to be the name of a family member!  I was able to easily convince her that her Grandkids were not watching these “age-inappropriate” movies and it appears that someone had figured out her password.  I explained how bad seeds in the world have been devising ways to obtain/guess other users passwords and take liberties with other people’s accounts.  My recommendation was to change her password and this time make it difficult for a non-family member to guess.  Of course her response was, “Yah, but then I won’t be able to remember it”.  Keep in mind that I am still on the clock at this point and didn’t have the luxury of trying to take the time to convince her otherwise.

Well the password has been changed (she actually figured out how to do it without my help.  Go Gramma!), but not nearly as secure as I would have hoped, but definitely more obscure than the first one.

Putting this story down on paper just made me realize that I have to make a mental note to ask my Mother if she does any banking or more important stuff online and then show her how to create a difficult password to guess, while making it easy for her to remember.

That’s it for this post.  I hope you were educated a little more and if not, at least entertained.  I know that phone call entertained me.

The 'Cryptopocolypse'

To further iterate a topic broached last week, this week an article by Patrick Lambert on TechRepublic.com investigates the issue of cryptography soon becoming obsolete by our own advancing computing power.  Cryptography is used to secure data in the virtual world, be it stored locally or on the internet, by taking advantage of some simple yet unintuitive properties of mathematics, and wrapping said data within it.  For a detailed look, you may also refer to our post earlier this month which describes various aspects of the topic; The surface level detail however is this: It is cryptography that allows us to protect our sensitive files, our personal data and our messages to others from prying eyes on the Internet, and without it, any data, anywhere on the net is fair game to anyone.

Hence why the forthcoming moment when our computing power advances enough to easily crack any standard cryptographic practices in use right now is being called the ‘cryptopocalypse’.  In the event that this happens, all computer security would be rendered meaningless in an instant, and the reasons that this would be such a terrible and chaotic event need not be expounded upon.  Is there really a chance of this happening? The topic has been long debated by experts.

The initial threat against cryptographic algorithms is the ability to reverse them, which would allow someone with malicious intent to analyze the encrypted data to remove the encryption by running the mathematical properties used to create it, backwards.  The entire cryptographic system is built on the idea that this is nearly impossible to do, and would take more guesses than any person has time for in their lifetimes.  So why have a person make guess after guess for years on end, when a modern computer can do the same in fractions of the time.  Computers are getting fast enough to ‘brute force’, or make tremendous amounts of guesses per second as to what the sensitive data is.  The latest version of the ‘Hashcat’ password cracker software for example, now supports attacking passwords of up to 55 characters long, and is capable of conducting about eight billion guesses per second as to what that password is – and has been previously known to do well in cracking passwords of 15 characters.  What will the next update be capable of?

Read more

Password breaker successfully tackles 55 character sequences

Are we heading for a ‘cryptopocolypse’?