How to Make an Authentication Cocktail

Authentication Cocktail

Who doesn’t enjoy a good cocktail?

James Bond liked his “shaken, not stirred” and most like them “on the rocks.” All this talk of cocktails is making me thirsty! However, today we are not here to talk about drinking a delicious drink; we are here to talk about an authentication cocktail.

What is an “authentication cocktail?”

An authentication cocktail is the pairing of two separate two-factor authentication (2FA) one-time password (OTP) delivery methods to make a full-bodied authentication combination that works in tandem to achieve the level of security needed to accommodate all end users and maintain your corporate security policy.

An authentication cocktail can be made either shaken or stirred depending on your needs.

 

RECIPE

Ingredients:

Makes 1 flexible solution

 

-Flexible authentication extension

-Registered users on Active Directory (AD)

-One current authentication solution (example RSA SecurID token)

-One new authentication solution (example YubiKey token)

-Select user groups


DIRECTIONS

Shaken:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that you can introduce to the easier plug and play USB YubiKey token.

Step 3. Prepare the users for the new integration by informing them of the change and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA token expires.

Step 4. Remove the expired tokens off your current authentication solution with in your AD, the RSA SecurID hard token and save LOTS of money.

 

Crossroads Banner 

Stirred:

Step 1. Purchase and deploy a flexible fixed cost authentication extension.

Step 2. Make sure you have a select group of RSA users that use their smart phone.

Step 3. Prepare the users for the new integration by informing them to install the Google Authenticator and assure them the changeover will be completely guided and painless because the user  can use both in parallel until their RSA license expires.

Step 4. Remove the expired RSA users off your current authentication solution with in your AD and save LOTS of money.

 

Solution Example History:

RSA SecurID Token: SecurID is RSA’s flagship authentication solution and has been a staple in many companies’ stronger authentication tool box for many years. However, this 2FA solution is also know to carry a hefty price tag and a set expiration date requiring a new token to be purchased at an established time.

YubiKey Token by Yubico: This modern solution is a USB token that provides stronger authentication and a one-time password at the push of a button. This token is much more affordable and does not carry an expiration date, so there is no need to replace the unit after a set amount of time.

Who is enjoying an authentication cocktail?

It is not uncommon for a company to run two separate authentication solutions in tandem for a number of possible reasons.

Accommodate select user’s needs: Employees that either work remotely or are constantly on the road can require a different type of stronger authentication to accommodate their needs.

Security clearance levels: Not everyone in an organization has access to or needs access to classified information, so why should they all use the OTP delivery method?

Transition from one 2FA solution to another: At times there are restrictions that either make a complete switch over impossible or just not plausible.

When any of these situations presents itself, an authentication cocktail is just what the doctor ordered and could be the answer you need.

Where to find the best authentication cocktail?

Unlike a good martini at a lounge, the best place to find one is in your own environment. The key is to finding the right main ingredient, a solution that can be that bridge, allow for different solutions to be working in tandem, and save you money in the process. It is important to find a solution that is flexible enough and built to allow for user groups to be segmented. Many IT professionals have turned to the authentication experts at PortalGuard to successfully establish and run an “authentication cocktail.”

UPS Hacked!

UPS hacked!

“It was the best of times, it was the worst of times.”

 

This famous quote from Charles Dickens’ classic novel, A Tale of Two Cities, gives insight into how two forces, like good and evil, are equal rivals contending for survival. The same goes for the world of cyber security. We have a world of information, convenience, and entertainment at our fingertips, and yet, in that world, there are dangers and possibilities to have valuable information stolen.

 

In Alex Roger’s time.com article, “UPS: We’ve Been Hacked,” Roger’s reports on the newest breach within The UPS. “The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.” Rogers continues, “The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26.” Even though the breach was wide ranging, UPS assured that on August 11 the threat  was resolved.

 

UPS issued a public statement, “The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident.” UPS went on to say that it is safe to shop at all of the UPS branches.

 

As fiction continually tells us in pros and verse, good and evil will always be at odds with each other, just as Dickens foreshadows in A Tale of Two Cities. So what can we do about it? Well, our job is twofold. We need to be sure to follow the Password Best Practices (PBP) and petition applications and companies that we use on a daily bases to start supporting Two-factor.

 

Password Best Practices

 

Password Best Practice (PBP) is the easiest way to accomplish login security to your applications and portals to access private information. PBP gives practical advice on how to strengthen your password, how often to change your password, what not to do with your password, and much more. By enforcing and educating users on PBP, you are on your way to achieving stronger passwords and making logins more secure. PennState has done a great job outlining the Password Best Practices on their site. The article is a great resource and reminder of what we should be doing with our passwords.

 

What you can do to about Two-factor Authentication

 

You may ask yourself what you can do to ensure that private and person information is protected with two-factor. There are two things that one can do. First, if you have the sway and influence, there are identity management providers that provide usable two-factor, protecting against network attacks. Secondly, if you are only a user and have no influence in the IT Department, there is a great site that contains a Two-factor Authentication list. From this list you can send a direct request to those that are not currently supporting Two-factor Authentication. The list is a great way to see if your favorite applications and websites are doing their part in protecting your personal information from network attacks worldwide.

 

Even though we seem to be living in a constant state of “the best of times, it was the worst of times,” we can do our best to fight against the evil of stolen identities and by educating ourselves on Password Best Practices and petitioning companies to support Two-factor Authentication.

The IT Professional vs. The Deadly Data Breach

IT Professional vs. Deadly Data Breach

 

The Deadly Data Breach

We know it well, the Deadly Data Breach! So many people have felt the effects of a data breach, and so many companies are scrambling to protect the personal information they have on file. I am sure data breaches are on the minds of every IT professional that has kept up with the most recent breaches. No one goes unscathed by The Deadly Breach: P.F. Changs, Goodwill, Home Depot, and numerous schools.

Home Depot’s recent data breach reaches all the way back to April first of this year. According to Steven Weisman’s blog article, “Important Home Depot Update,” Weisman reports that “along with the credit card numbers and debit card numbers, the hackers also are selling the state and zip code for the particular cards.  This enables the hackers to defeat some fraud detection programs that pick up charges made from areas far from the home of the card holder.” This just covers up and prolongs agencies from discovering a security breach sooner. The Deadly Data Breaches just keep getting more deadly!

 

The Cost of The Deadly Data Breach

The cost of the deadly data breach doesn’t stop at the yearly budget meeting. There are many different costs when a breach strikes: the cost of private information, the cost of an organization’s reputation, and the actual monetary cost. Target’s data breach cost them $148 million dollars so far, and having more stores than Target, Home Depot will most likely exceed that number. At this moment in time, I do not envy the IT Professional and truly feel for them; thankfully, there are some great resources for IT Professionals. For example, Liisa Thomas’s book, Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide, is a great resource for the IT Professional contending with The Deadly Data Breach.

 

What Can Anyone Do?

There are many things that both the IT Professionals and the end users may do to proactively protect themselves from having their identity stolen. In reference to the Home Depot breach, Weisman gives practical tips on protecting yourself from identity theft. Weisman’s blog Scamicide is a great resource on daily technical news and practical tips to protect against hacktivists.

 

  • Password Best Practices: These are a great place for the IT Professional to start in their fight against the Deadly Data Breach. Password Best Practices are common sense protocols for passwords and a great place to start creating a healthy password environment for your organization. PennState has a great article on Password Best Practices that I found very helpful.

 

  • Speak Up: For the end user, there is a great website that was featured in the NYTimes that has a list of applications supporting two-factor authentication. The end user is also able to send a request to their favorite website/application requesting that they support two-factor.

 

 

We are in an age where logins are a part of life and the gateway to private and confidential data. As the tsunami of data breaches continues to destroy and damage the cyber world, it is time to look towards stronger authentication to reduce the impact on organizations worldwide.

 

 

http://scamicide.com/2014/09/11/scam-of-the-day-september-11-2014-important-home-depot-update/

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365

 

vide_snap

BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:

 

-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication

 

With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”

 

Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.

 

PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

From Hacktivist to Cybersleuth

Hacker Gone Hero

 

It’s just like something from out of the movies: criminal mastermind gets caught, turns from his wicked ways, and eventual unveils a piece of the criminal mastermind world to help out the good guys. There is something intriguing in being able to see into the criminal mastermind and get a behind the scenes look at the secret life of these hacktivist. In the hacktivists’ world, there is a network of secret groups and ominous aliases that threaten to breach and expose a multitude of private and personal data.

 

In August 2011, Hector Xavier Monsegur, also known by his hacker alias “Sabu,” pled guilty to numerous charges relating to multiple hacktivists actions. Monsegur then proceeded to help reveal the true identity to the alias names responsible for stolen identities and jeopardized corporations. According to The Daily Dot article LulzSec hacker-informant ‘Sabu’ set free, “After agreeing to help the FBI “immediately” after they busted him in his home on June 7, 2011, according to court documents, he proved extremely helpful to their investigations.” With the Monsegur turned cyberslueth, FBI officials were able to prevent many major cyber attacks from taking place.

 

Monsegur is also the foster parent of two kids, and this factor was what drove to Monsegur’s quick response of pleading guilty and full cooperation with the FBI.  According to USAToday, his attorneys stated “It was not a difficult choice for him. [. . .] his family came first.” Monsegur and his family are currently being relocated for safety purposed.

 

 

http://www.usatoday.com/story/money/business/2014/06/16/computer-hacker-sabu-monsegur-took-risks/9731443/

 

http://www.dailydot.com/news/sabu-hector-xavier-monsegur-fbi-antisec-anonymous-sentenced/

Google Removes Ad Scanning for Apps within Education for Good

Google Logo 2010

Recently, Google made an announcement via their blog stating they will be permanently removing any form of ad scanning for applications associated with education users. Google was quick to point out that they never intended to collect data in education based Apps, and in the past, an Admin on campus would have had to enable the ad scanning. However, even if the admin had enabled ad scan, it will no longer be enabled within their environment.

To give you a brief overview of the ad scan, it is a blind algorithm that Google uses to scan your email and usage to provide you with more targeted advertisements based on your information.

 The new Google policy is as follows:

“Google Apps for Education services do not collect or use student data for advertising purposes or create advertising profiles.

Gmail for consumers and Google Apps for Education users runs on the same infrastructure, which helps us deliver high performance, reliability and security to all of our users. However, Google Apps is a separate offering that provides additional security, administrative and archiving controls for education, business and government customers.

Like many email providers, we do scanning in Gmail to keep our customers secure and to improve their product experience. In Gmail for Google Apps for Education, this includes virus and spam protection, spell check, relevant search results and features like Priority Inbox and auto-detection of calendar events.  Scanning to provide product features is done on all incoming emails and is 100% automated. We do NOT scan Google Apps for Education emails for advertising purposes.

Additionally, we do not collect or use any information stored in Apps for Education users’ Google Drive or Docs (or Sheets, Slides, Drawings, Forms) for any advertising purposes”

Great news for business based Google Apps users too: this policy will be carried over to these Apps in the near future. Google was quick to point out that it had permanently disabled this feature on all logged in K-12 users last year.

Source: http://time.com/82705/student-pass-google-junks-gmail-ad-scanning-for-student-accounts/#

Alarmingly Low Rate of Employees Receive Security Awareness Training

exclamation point

With the state of the economy, it is not too shocking that only 43% of employees receive security awareness training. Many companies have been faced with reducing their workforce and running “leaner and meaner,” thus devoting all hours of the workday to improving the companies bottom-line. It is hard to believe that such an important element has gone the way of the Dodo bird. One would think that more time would be dedicated to security training given the recent and highly publicized security breaches at other companies.

However, the results of a recent survey by Enterprise Management Associates (EMA) show that 56% of corporate employees have not received any security awareness or policy training.

A recent article from SC Magazine explains EMA’s findings, “Security Awareness Training: It’s Not Just for Compliance, 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn’t effective.”

According to the report, the average cost of providing security training is only $50. This seems like a small price, but multiply that by a few hundred users and you start to see why this simple exercise in protecting their company may be overlooked. Yet, providing the staff with proper training could result in saving the organization from the far greater expense of a data breach.

“35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices.” White goes on, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”

While under-education of the population at large can seem startling, a best practice for increasing security within any environment is to have a strong password policy that includes specific password expiration increments. In order to deploy such a password policy, the company must first roll out a self-service password reset program. Many companies turn to the authentication experts at PortalGuard for their self-service password reset needs and other authentication solutions.

Government Surveillance, Time to Reform?

Spying

There has been a recent push back against the government claiming that they are impeding on the privacy rights of users. Eight companies, including AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo, co-authored a letter to President Obama stating their concerns. In this letter, the major companies broached the issue of the global interference with users’ internet accounts and discussed the fact that governments do indeed need to protect their citizens but not at the cost of civil liberties. Along with the letter, www.reformgovernmentsurveillance.com was created to raise awareness and call the government to action.

Request for Transparency

One of the biggest requests in the letter was to create transparency. The website reformgovernmentsurveillance.com stated, “Governments should allow companies to publish the number and nature of government demands for user information.” Companies like Microsoft and Twitter recently announced steps that they are further taking to ensure that they are using the most advanced forms of encryption to ensure the security of their users’ information. Transparency from the government is a great concern for users and companies worldwide.

Request for Clearer Framework

Another major request the website reformgovernmentsurveillance.com brought to the forefront was the need for a “robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty, or ‘MLAT,’ processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.” For example, it is well known that in our country we have more freedom when it comes to internet use than other countries like China An agreed upon, transparent framework would avoid conflict between differing laws.

Request for Our Rights

The question that lies beneath all of this is at what point will the rights of internet privacy and our constitution be respected? The open letter to Obama on www.reformgovernmentsurveillance.com from the major companies states our constitutional right in regards to internet safety most accurately.

“We understand that governments have a duty to protect their citizens, but this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.”

In the words of Francois-Marie Arouet, better known as Voltaire, later reiterated by Uncle Ben to a soon to be superhero, “with great power, comes great responsibility.”

 

Resources:

http://www.reformgovernmentsurveillance.com/#

http://www.scmagazine.com//leading-tech-companies-make-joint-call-for-surveillance-reform/article/324795/

To E-File or Not to E-File

Tax Fraud

While Shakespeare is better known as an excellent playwright, vivacious actor, and sublime constructor of the English language, he also has a not-so-well-known, historical record for tax evasion, hoarding, and the selling of grain at atrocious prices during years of famine. Although we are not here to discuss the moral ethics of Shakespeare, we should ask ourselves “to e-file or not to e-file.”

 As the season for filing your taxes approaches and with many already waiting for their returns, e-filing security is on the minds of many. According to WMBF News, in 2012 the Department of Revenue (DOR) was hacked, compromising millions of taxpayers’ personal information. Samantha Cheek, the spokesperson for the DOR, believes that for 2014 “e-filing is not only safe, it may be more secure than filing a paper return. Paper returns are handled by numerous people and can be stolen.” The DOR is now implementing Two-Factor Authentication (2FA) and monitoring their web activity closely. But how can you know that e-filing your taxes will keep your information safe from those that will be prowling the streets of the internet looking for their next e-filing victim? Below are a few things to keep in mind during tax season.

Beware of the Bait

By using “phishing emails,” the DOR hacker in 2012 was able to get access to the DOR system at any time causing the breech in security. Phishing baits are everywhere from emails to social media. Just be leery. They all promise different things, but they all want the same thing: your identity.

E-filing Into Fraud

E-filing is the most convenient way to file your taxes and the quickest way to get your return back. By e-filing your taxes, the IRS says you are entering into a world “where hackers have already proven they’re pretty savvy.” Another precaution you can take is being sure that your e-filing provider is using the latest in web application security by checking their security and privacy policies.

Use Caution

There are a few things you can do on your own that create a secure environment for e-filing. First, be sure that your computer and web browser are up to date. This will ensure that any simple holes that a hacker might use are patched. Also before working on your taxes, make sure your network’s wireless router’s security is enabled; along with that, never file your taxes from a public, wireless hot spot. And as always, choose a strong password that contains a variety of numbers, letters, and characters.

In closing, WMBF News states, “the bottom line is there’s no fool proof plan when a thief is on the prowl. That’s why experts say stay informed. Check your credit often. Make sure your preparer is a reputable person or firm and if you suspect something is amiss, report it immediately.”

http://www.scmagazine.com//irs-warns-phishing-attacks-are-among-dirty-dozen-tax-scams/article/286575/

http://www.wmbfnews.com/story/24634961/2014-tax-filing-season-raises-security-concerns

http://www.computerworld.com/s/article/9016362/10_security_tips_for_e_filing_tax_returns

The N.S.A. Gets Crafty

How the N.S.A. Uses Radio Frequencies to Penetrate Computers

New details have been exposed that the National Security Agency has the ability to access computers even when they are “air gapped.” This term refers to computers that are not connected to a network, wireless, or LAN.

This information was leaked in association with the Snowden exposer that was made public last year. The New York Times article on Tuesday described that the N.S.A. had implanted hardware in almost 100,000 computers around the world that allowed them to access the computers via radio waves.

“The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.”

In order to install this hardware successfully on the machines, spies and sometimes manufactures would implant the hardware on the machines, making it possible for the computer to be tracked. This was a step in the right direction as far as gaining access to information that previously was unavailable to US Intelligence Agencies.

The article goes on to explain that, in the recent past, the Chinese Army has performed similar covert operations to US companies and government organizations. The N.S.A. and the United States Cyber Command have been victims to the Chinese attacks; the attacks were used to mostly gather and steal secrets or intellectual property.

In the article, James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington, was quoted. “What’s new here are the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before… Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”

Sources:

http://www.nytimes.com/2014/01/15/us/NSA-effort-pries-open-computers-not-connected-to-internet.html?hp&_r=0

http://www.stratcom.mil/factsheets/Cyber_Command/