Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

The IT Professional vs. The Deadly Data Breach

IT Professional vs. Deadly Data Breach

 

The Deadly Data Breach

We know it well, the Deadly Data Breach! So many people have felt the effects of a data breach, and so many companies are scrambling to protect the personal information they have on file. I am sure data breaches are on the minds of every IT professional that has kept up with the most recent breaches. No one goes unscathed by The Deadly Breach: P.F. Changs, Goodwill, Home Depot, and numerous schools.

Home Depot’s recent data breach reaches all the way back to April first of this year. According to Steven Weisman’s blog article, “Important Home Depot Update,” Weisman reports that “along with the credit card numbers and debit card numbers, the hackers also are selling the state and zip code for the particular cards.  This enables the hackers to defeat some fraud detection programs that pick up charges made from areas far from the home of the card holder.” This just covers up and prolongs agencies from discovering a security breach sooner. The Deadly Data Breaches just keep getting more deadly!

 

The Cost of The Deadly Data Breach

The cost of the deadly data breach doesn’t stop at the yearly budget meeting. There are many different costs when a breach strikes: the cost of private information, the cost of an organization’s reputation, and the actual monetary cost. Target’s data breach cost them $148 million dollars so far, and having more stores than Target, Home Depot will most likely exceed that number. At this moment in time, I do not envy the IT Professional and truly feel for them; thankfully, there are some great resources for IT Professionals. For example, Liisa Thomas’s book, Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide, is a great resource for the IT Professional contending with The Deadly Data Breach.

 

What Can Anyone Do?

There are many things that both the IT Professionals and the end users may do to proactively protect themselves from having their identity stolen. In reference to the Home Depot breach, Weisman gives practical tips on protecting yourself from identity theft. Weisman’s blog Scamicide is a great resource on daily technical news and practical tips to protect against hacktivists.

 

  • Password Best Practices: These are a great place for the IT Professional to start in their fight against the Deadly Data Breach. Password Best Practices are common sense protocols for passwords and a great place to start creating a healthy password environment for your organization. PennState has a great article on Password Best Practices that I found very helpful.

 

  • Speak Up: For the end user, there is a great website that was featured in the NYTimes that has a list of applications supporting two-factor authentication. The end user is also able to send a request to their favorite website/application requesting that they support two-factor.

 

 

We are in an age where logins are a part of life and the gateway to private and confidential data. As the tsunami of data breaches continues to destroy and damage the cyber world, it is time to look towards stronger authentication to reduce the impact on organizations worldwide.

 

 

http://scamicide.com/2014/09/11/scam-of-the-day-september-11-2014-important-home-depot-update/

You Have a Case of Identity Theft!

Identity Theft

It’s the hot topic in the news, blogs, books, and more, identity theft and security! We are all susceptible to identity theft from the individual user to the largest corporation.

 

Author Steve Weisman has been speaking on Identity Security for years, including his blog Scamicide and in his books The Truth About Avoiding Scams and Identity Theft Alert: 10 Rules You Must Follow. The most recent breach, the Community Heath System, is one that Weisman covers in his blog entry Community Health Systems and the Chinese hacker. By now we all know the characters in the story, hacker wants sensitive data, companies have budgets and time restraints, and users want usability. In his blog post, “Community Health Systems Data Breach Update”, Weisman wisely states, “It has been said that the price of liberty is eternal vigilance and that is also important in maintaining your own personal security.  People who did not change their passwords following the Heartbleed security flaw first being uncovered should take this as a wake up call to do so now.” I concur!

 

(read on to learn how you can make a difference)

 

Weisman goes on to give some great examples on how to protect credit and to watch for fraud. But we all know that that is not where the story ends. Weisman states the grim truth that “it is not unusual for hackings and data breaches to remain undiscovered for significant periods of time.  This data breach may be the first major data breach connected to Community Health Systems, but it is most likely not going to be the last.” Sadly, he is most likely correct.

 

Organizations and companies need to transition to stronger authentication; one way they can do this is with a usable authentication solution. Why usable? Well, let’s not forget one of the main characters in this story, the user. Users want usability when it comes to identity security and logging into their accounts, and there are many solutions that are rising to the occasion to provide both security and usability to organizations. PortalGuard is one solution that brings usable Two-factor Authentication to the table with printable OTPs, SMS, and PassiveKey.

 

So there is no doubt that security needs to be increased and usability cannot be forgotten, but what can you do as an individual to increase authentication security within the organizations that you use on a daily bases? Well, I am glad you asked. I just happen to have the perfect site that was promoted on newyorktimes.com in Ron Lieber’s article A Two-step Plan to Stop Hackers.  Twofactorauth.org allows you to send a tweet requesting that organizations and apps that are housing your personal information support two-factor. (you may now cheer and applaud) Find out if your favorite app is using Two-factor or take it into your own hands to tell them to support Two-factor.

 

Weisman ends his blog post reminding us that “you are only as safe as the places that hold your personal information and some of them have poor security.” How true that is, and how slow many are at implementing the necessary steps to secure our personal and private data. In conclusion, you have really two choices as a user.

 

Cut out all technology from your life and keep your savings under your mattress

OR

Make smart identity choices and request that those that are housing your personal information implement a usable, two-factor solution.

More Compromised Students and Faculty

butlerlogoblue

Recently, there was yet another security breach at a college campus. This time the victim was Butler University, where a hacker accessed over 160,000 records for current, past students and faculty. The information stolen was the typical pertinent information that is stolen in this type of breach.

Names, Social Security numbers, date of birth, and bank account information.

The announcement of this breach comes due to an identity theft investigation that came from California law enforcement. The perpetrator that was caught possessed a flash drive that contained all of the data stolen from Butler University. Through the work of a third party investigator, it was uncovered that the information was stolen by remote hackers who accessed the Universities network between November 2013 and May 2014.

When will all of this craziness stop and people take security seriously?

I find it interesting that there is not more of an outcry from the general public to make sure that organizations are protecting their information. It used to be that colleges and universities were less likely to get attacked, since students typically do not have any credit in general. However, this year we have seen two other colleges in the spring and a high school earlier this summer.

There are schools, like Dalton State College and Clermont Northeastern School District, that have taken a serious look at this problem and addressed it by partnering with PortalGuard to deploy a two-factor authentication solution. By adding a two-factor authentication solution to their environment, they are able to ensure that the end-user is who they claim to be and not an imposter or hacker. This type of authentication can also deter man-in-the-middle attacks as well.

 

Violated Database: Montana Department of Public Health and Human Services

Creeper

Your car has been broken into, yet nothing was stolen. Nothing was stolen, so no big deal, right? WRONG! You would still feel violated, creeped out, and concerned about it happening again. The Montana Health Department has experienced a similar data breach.

 

On May 15th, Montana’s Department of Public Health and Human Services (DPHHS) officials noticed out of the ordinary activity. After further investigation, DPHHS confirmed that a server had been breached by hackers, and according to Alison Diana’s article Montana Health Department Hacked,“1.3 million people of the incident” are being notified of the breach and ensured that their information will be protected. Diana continues by stating, “there is no evidence this information was used inappropriately – or even accessed.”

 

At the moment, DPHHS is ensuring that a stronger security solution will be put in place to prevent such attacks from happening again, and extra measures are being taken to ensure that all citizen information is not compromised. There is a help line that DPHHS has on their website with information for potentially affected patients.

 

Diana continues in her article on the increase in attacks on healthcare databases, “many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry’s rich stash of personal data — including Social Security numbers, credit card information, and addresses — and personal health information.” With all this private information being housed within a healthcare database, it is imperative that a stronger authentication solution be put in place, along with educating employees on Password Best Practices (PBP). Many IT professionals are turning to PortalGuard for Healthcare for stronger security and increased usability for their corporation.

 

 

http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/1278872

Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!

Toothbrush

 

Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!

 

Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.

 

Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!

 

With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.

 

In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!

 

So go ahead! Invest . . . the Llamas won’t mind.

 

 

 

Source:

http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/2/

Are You Only a Hacktivists Away from Chaos?

Hacktivist

Data security is a hot topic right now with Target, Michaels, and other large companies reporting data breaches. After all the time, money, and publicity from the breaches, I am sure they wish they could turn back time and deploy a stronger authentication to guard against the black market hacktivists that caused the chaos.

 

In Cameron Shilling’s article “Is Your Business a Data Breach Away from Disaster?,” Shilling states, “data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical ad insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni.” If your company is housing private information, you are a target for the hacktivists. No matter how small or how large, your company is at risk.

 

Even though this is a serious problem, we take these warnings and disregard them with thoughts like “it could never happen to me” or “that takes too much time and money.” But it could happen to you, and a serious data breach is just one hacktivists away, resulting in losing personal information and creditability with your customers.

 

Many companies do not realize that the cost of a data breach can cost hundreds of thousands of dollars.

 

Shilling also points out that there are unforeseen costs to a companies data breach; “costs include direct expenses to investigate, provide notifications and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialist, credit monitoring services and price concessions,” these make up about 40% of the total costs for “fixing” a data breach. Shilling goes on to point out that “the greater losses, which are often hidden to most businesses, arise from indirect costs, like diminishing revenue and profits from lost customer business, and diminishing employee productivity from time spent addressing the breach and its aftermath.” Without a doubt, it is more cost effective and efficient to deploy a strong authentication solution before the breach takes place.

 

Everyone should take the necessary steps to secure their systems and private information. It is well worth the effort to protect against breaches. Many companies and organizations are turning to the affordable, strong, hassle-free two-factor authentication like PassiveKey, created by the authentication experts at PortalGuard.

 

Don’t be at high risk anymore!

 

 

 

Shilling, Cameron G. “Is Your Business a Data Breach Away from Disaster?” Business Magazine Mar. 2014: 26-27. Print.

Hacking Your Way to Love

OK Cupid Couple

In this blog, we certainly do not condone hacking in any manner. However, this morning there was a hacking love story that popped up in my newsfeed regarding OK Cupid, a hacking of a different kind on an online dating website.  Using mathematics, Chris McKinlay cracked OK Cupid’s algorithm for selecting a mate.

The way that OK Cupid works its magic is by asking specific questions with different levels of importance on each topic.  The questions asked by OK Cupid can range from, if the person has a dog, wants kids, or what they like to do in their leisure time. McKinlay, like many people, was searching for that perfect companion to share the rest of his life with. However, he noticed that there were only about 100 matches that were found in the greater Los Angeles area and thought that this did not seem accurate.

In June of 2012, Mckinlay was working on his mathematics thesis and wondered if he could use math to get more matches on OK Cupid.

“I started thinking about it when I was in dissertation mode, so I was applying grad student mentality to everything back then,” McKinlay said.

Using the math and programing skills he already knew, he built a bot to troll the website and do some research to find out certain answers that related to women within a demographic. He then focused on a couple of questions that he thought would help him find his perfect match.

By applying his theory, the website turned up a staggering number of women that were a good match. This lead to 88 dates over three months until he met Christine Wang; they immediately clicked leading to an engagement after one year.

Good Morning America interviewed Christian Rudder, co-founder and president of OkCupid, and he thought McKinlay’s approach was “pretty cool… In general, whatever people need to do to make OkCupid work for them, we support. The point is to help people find dates — that’s our only goal. We’re totally happy for people to ‘hack’ us. As long as no one is being treated with disrespect or being tricked, which it doesn’t sound like he was doing, then we’re game for it.”

Source:

http://gma.yahoo.com/blogs/abc-blogs/genius-okcupid-hack-led-true-love-212911321–abc-news-topstories.html


The N.S.A. Gets Crafty

How the N.S.A. Uses Radio Frequencies to Penetrate Computers

New details have been exposed that the National Security Agency has the ability to access computers even when they are “air gapped.” This term refers to computers that are not connected to a network, wireless, or LAN.

This information was leaked in association with the Snowden exposer that was made public last year. The New York Times article on Tuesday described that the N.S.A. had implanted hardware in almost 100,000 computers around the world that allowed them to access the computers via radio waves.

“The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers. In some cases, they are sent to a briefcase-size relay station that intelligence agencies can set up miles away from the target.”

In order to install this hardware successfully on the machines, spies and sometimes manufactures would implant the hardware on the machines, making it possible for the computer to be tracked. This was a step in the right direction as far as gaining access to information that previously was unavailable to US Intelligence Agencies.

The article goes on to explain that, in the recent past, the Chinese Army has performed similar covert operations to US companies and government organizations. The N.S.A. and the United States Cyber Command have been victims to the Chinese attacks; the attacks were used to mostly gather and steal secrets or intellectual property.

In the article, James Andrew Lewis, the cybersecurity expert at the Center for Strategic and International Studies in Washington, was quoted. “What’s new here are the scale and the sophistication of the intelligence agency’s ability to get into computers and networks to which no one has ever had access before… Some of these capabilities have been around for a while, but the combination of learning how to penetrate systems to insert software and learning how to do that using radio frequencies has given the U.S. a window it’s never had before.”

Sources:

http://www.nytimes.com/2014/01/15/us/NSA-effort-pries-open-computers-not-connected-to-internet.html?hp&_r=0

http://www.stratcom.mil/factsheets/Cyber_Command/

One of America’s Favorite Retailers Faces a Breach

TARGET BREACH

When turning on the news yesterday morning it was one of the top stories, Target Stores Security Breach affects 40 million shoppers. Our office is right next door to a Target so it is safe to say I am there pretty regularly. Like many other American’s that hold their credit scores close to their chest, it worried me and Immediately I thought to myself how did this happen, how will it affect me, what does it really mean?

SecureState, a Qualified Security Assessor (QSA), had a very comprehensive article that explained the whole thing pretty thoroughly. The article explains all of the compliance and regulations that surround a company using point of sale card readers.  According to the article, it would appear that Target was running a homegrown, custom built application. However, there are standards that should be followed at all times, including the Payment Application Data Security Standard (PA-DSS).

“For a hacker to be able to infiltrate Target’s network and access the POS application several PCI-DSS and PA-DSS controls must not have been implemented effectively.  Thus, Target was not compliant during the time of the breach… It’s not easy for an attacker to bypass these controls, access a secure POS, and steal 40 million records.  Therefore, the hack was either very sophisticated or Target lacked basic controls to prevent it.”

What’s the next step for Target? To stop the bleeding and make sure that the systems affected are no longer available to the hackers and make sure that no further information is leaked. After all of that is done, they can put an action plan in place to prevent these types of breaches in the future. Then the finger pointing will begin, this is where is gets ugly on a corporate level.

All-in-all what this means for us, the consumer, is that we need to keep an eye on our credit cards and reports to make sure that nothing fishy shows up.

Sources:

http://blog.securestate.com/targets-credit-card-compromise/

https://www.pcisecuritystandards.org/security_standards/