Backyard SSO Hero

Backyard-SSO-Hero

So, my neighbor, Penny, peaks her head over the fence and asks me what I think about this SSO stuff.  What makes her think I even want to chat in the first place . . . the game is on and I’m stuck out here?  Can’t she see all these leaves taunting me because the leaf blower won’t start?  A more appropriate discourse would have been something like, “Hey, my kids are looking for something to do. Can they rake your leaves for you?” But never the less, as I reluctantly get off my knees to graciously accept her unwanted invitation for fence banter, she continues with, “What does it even stand for?  People I work with have been throwing it around, and I feel like I’m missing out on something. Does it stand for ‘Sorry So Obvious’ or ‘Seek Some Outdoors’ or maybe some form of ‘See ya Soon’?”

 

She now has me amused, and I’m finding her unsolicited remarks more interesting than the task at hand.  I slowly get upright and reply to her with, “SSO stands for Single Sign On, and you may have it in place if your work day is not interrupted by too many security logins to the various applications you use at work. You are able to save time with SSO.”

 

“Security logins?  What are those?” she replies.

 

“Do you have to provide an account name and password when you log into your computer in the morning?” I ask.

 

“Yes”, she states.

 

“Do you then have to provide additional username and password combinations to access other applications, such as SharePoint or Google Apps?”

 

“Oh, do you mean like Blackboard or my email?” she asks.

 

“Yes, exactly like Blackboard and Outlook Web App.  How do you like logging in that many times in one day?” I inquire.

 

“It drives me nuts!” she retorts.  “I have already shown the computer who I am, so why does it keep asking me to provide more names and passwords?!  Our IT guy tells us we need to make strong passwords with symbols, upper and lower case letters, and even numbers.  Oh noooo… you can’t even make it something that is easy to remember because it would be too easy to guess.  That’s hard enough, and then we can’t write it down! My job is stressful enough without having to be bothered with all these usernames and passwords, not to mention dealing with an IT staff member should you, dare I say it . . . forget your password.”

 

Woah!  When did I become the neighborhood technical therapist? 😉 Anyway, football game and lawn work aside, Penny needs help and I’m the closest one to her at this point…  the sacrifices us dedicated IT people make. I reassured Penny,“Single Sign On is going to be your best friend soon. You will be able able to save time with SSO, and SSO reduces the phishing attach space. Not to meant ion, having SSO in place will eliminate most of the bad experiences you are having with passwords and authentication.”

 

Penny asks, “Soon?  Why do you say soon?”

 

I reply, “Because it’s obvious that your company has not implemented SSO yet due to your multiple logins, and it looks like you can be the hero that starts the revolution for your co-workers.  Here’s what you do when you get back to work on Monday.  See if you can find someone with buying power, and plant a seed with the following facts.

1-  Save time with SSO! Save time not only for the individual users that no longer have to login to everything, but also for the IT people that are currently supporting users with multiple accounts and passwords.

2- Remind that person how grateful the IT staff will be to the person that puts SSO in place and takes a lot of frustration and despair out of their work week.

3- And for the knockout blow, SSO reduces the phishing attack space. You can let that lucky person know that eliminating all those logins reduces the phishing attack space considerably.  Should they ask how to get started, you can give them the www.portalguard.com website.”

 

The next thing I know, I’m watching the game, and Penny’s kids are finishing up the yard work.

Breach Fatigue: Don't Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

Breach Fatigue: Don’t Be a Victim

Data Breach, Data Fatigue, Securauth

 

In recent weeks, the largest bank in the United States, JP Morgan Chase & Co., has fallen victim to cybercriminals.

Last Thursday, JP Morgan unveiled that hackers obtained stolen information from their customers.  This included personal information such as names, addresses, phone numbers, and e-mail addresses from over 76 million households and 7 million small businesses.

Scary, right?

One would think.

According to a recent article from The Washington Post “Data breach fatigue follows two cyber intrusions”, author Sarah Halzack shares insight on how consumers are not as worried about data breaches as they should be.   There is a constant increase of consumers ignoring notifications of a potential data theft crisis. In addition, the majority of these consumers did not stop doing business with companies that have been hit by cybercriminals.

Consumers need to over come this breach fatigue, and here’s why:

With 579 data breaches just this year, cybercriminals are on the rise.  With crucial information such a passwords or credit cards numbers, cybercriminals may have direct access to one’s financial accounts. Although this is not the case for JP Morgan, an identify theft can lead to many more opportunities for attack.  According to “Your JPMorgan account got hacked. Now what?”, author Danielle Douglas-Gabriel shares her concerns that although the JPMorgan hackers do not posses any “critical” information from its users (i.e. passwords, user ID’s or credit card numbers), consumers still need to be aware.  All a hacker needs is a user’s email account to gain access to so much more.  By simply having access to one’s email, a hacker can create authentic looking emails from banks asking for more critical customer information. And in the blink of an eye, your identity is stolen.

So, are you protected?

As the age of Internet and mobile devices is upon us, one needs to be proactive in securing their identity.  There are many different types of breaches and many different solutions that help protect against those breaches.

One way to protect yourself from phishing emails is to never share sensitive data throughout the cyber world.  For more great tips on preventing phishing scams, check out Lisa Eadicicco’s article on avoiding phishing scams, “How to Avoid Phishing : 8 Tips to Protecting Your Digital Identity.”

Another way to prevent a possible cybercriminal attack is by using a 2-factor authentication solution.  By applying an additional level of security, it ensures an additional level of protection. More than merely a password is necessary to gain access to one’s account.

So, as we inch closer and closer to a completely virtual world, consumers need to be aware of breach fatigue, the consequences it has in store, and how to overcome it.

 

http://www.pressherald.com/2014/10/07/data-breach-fatigue-follows-2-cyber-intrusions/

http://www.washingtonpost.com/news/get-there/wp/2014/10/03/your-jpmorgan-account-got-hacked-now-what/

http://scamicide.com

 

 

 

UPS Hacked!

UPS hacked!

“It was the best of times, it was the worst of times.”

 

This famous quote from Charles Dickens’ classic novel, A Tale of Two Cities, gives insight into how two forces, like good and evil, are equal rivals contending for survival. The same goes for the world of cyber security. We have a world of information, convenience, and entertainment at our fingertips, and yet, in that world, there are dangers and possibilities to have valuable information stolen.

 

In Alex Roger’s time.com article, “UPS: We’ve Been Hacked,” Roger’s reports on the newest breach within The UPS. “The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.” Rogers continues, “The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26.” Even though the breach was wide ranging, UPS assured that on August 11 the threat  was resolved.

 

UPS issued a public statement, “The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident.” UPS went on to say that it is safe to shop at all of the UPS branches.

 

As fiction continually tells us in pros and verse, good and evil will always be at odds with each other, just as Dickens foreshadows in A Tale of Two Cities. So what can we do about it? Well, our job is twofold. We need to be sure to follow the Password Best Practices (PBP) and petition applications and companies that we use on a daily bases to start supporting Two-factor.

 

Password Best Practices

 

Password Best Practice (PBP) is the easiest way to accomplish login security to your applications and portals to access private information. PBP gives practical advice on how to strengthen your password, how often to change your password, what not to do with your password, and much more. By enforcing and educating users on PBP, you are on your way to achieving stronger passwords and making logins more secure. PennState has done a great job outlining the Password Best Practices on their site. The article is a great resource and reminder of what we should be doing with our passwords.

 

What you can do to about Two-factor Authentication

 

You may ask yourself what you can do to ensure that private and person information is protected with two-factor. There are two things that one can do. First, if you have the sway and influence, there are identity management providers that provide usable two-factor, protecting against network attacks. Secondly, if you are only a user and have no influence in the IT Department, there is a great site that contains a Two-factor Authentication list. From this list you can send a direct request to those that are not currently supporting Two-factor Authentication. The list is a great way to see if your favorite applications and websites are doing their part in protecting your personal information from network attacks worldwide.

 

Even though we seem to be living in a constant state of “the best of times, it was the worst of times,” we can do our best to fight against the evil of stolen identities and by educating ourselves on Password Best Practices and petitioning companies to support Two-factor Authentication.

Violated Database: Montana Department of Public Health and Human Services

Creeper

Your car has been broken into, yet nothing was stolen. Nothing was stolen, so no big deal, right? WRONG! You would still feel violated, creeped out, and concerned about it happening again. The Montana Health Department has experienced a similar data breach.

 

On May 15th, Montana’s Department of Public Health and Human Services (DPHHS) officials noticed out of the ordinary activity. After further investigation, DPHHS confirmed that a server had been breached by hackers, and according to Alison Diana’s article Montana Health Department Hacked,“1.3 million people of the incident” are being notified of the breach and ensured that their information will be protected. Diana continues by stating, “there is no evidence this information was used inappropriately – or even accessed.”

 

At the moment, DPHHS is ensuring that a stronger security solution will be put in place to prevent such attacks from happening again, and extra measures are being taken to ensure that all citizen information is not compromised. There is a help line that DPHHS has on their website with information for potentially affected patients.

 

Diana continues in her article on the increase in attacks on healthcare databases, “many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry’s rich stash of personal data — including Social Security numbers, credit card information, and addresses — and personal health information.” With all this private information being housed within a healthcare database, it is imperative that a stronger authentication solution be put in place, along with educating employees on Password Best Practices (PBP). Many IT professionals are turning to PortalGuard for Healthcare for stronger security and increased usability for their corporation.

 

 

http://www.informationweek.com/healthcare/security-and-privacy/montana-health-department-hacked/d/d-id/1278872

Young Hacker Infiltrates High School Database

TeenageHacker

We live in a world with multiple cyber threats, many coming from alias names from countries we have never been to. Within the United States, we have our fair share of hackers that cause major problems and confiscate sensitive data. It is sad and eye opening when it happens on the high school level.

 

Recently, a 16-year-old boy gained access to a school database that held personal information like grades and attendance. By gaining access to this database, the student was able to change multiple attendance records and grades.

 

According to Ashley Carmen’s SC Magazine article “Orange Public School district staff and authorities believe the student accessed the computer system through a teacher’s login credentials . . ., however, they aren’t sure of how he obtained access to the teacher’s password.” With the privacy and safety of students being top priority over the last decade or so, it is surprising that many K-12 schools have not deployed a second factor for account logins for both students and faculty.

 

With this account hacking comes “multiple counts of second-degree computer theft for unlawfully accessing and altering data and one count of hindering apprehension,” according to Carmen. This case is going to be handled in Family Court.

 

As K-12 schools begin to invest in identity solutions, many are turning to PortalGuard for education, giving them stronger security and increased usability.

 

 

http://www.scmagazine.com/new-jersey-teen-charged-after-altering-students-grades-and-attendance-records/article/358103/

Press Release: Get the Level of Identity Management Your Campus NEEDS for Office 365

 

vide_snap

BEDFORD, NH– (Marketwire – June 25, 2014) – Today, PistolStar, Inc. announced the integration of its PortalGuard product with Office 365. This integration will give administrators the power to choose the level of convenience and security they desire for their students and faculty while accessing Office 365, including:

 

-Self Service Password Reset (SSPR)

-Single Sign-on (SSO)

-Two-factor Authentication

 

With PortalGuard integrated with Office 365, schools now get the level of identity management they need. Gregg Browinski, CTO of PistolStar, Inc. comments on the level of identity management and security with PortalGuard. “Using Office 365 guarantees 99.9% uptime for your campus email infrastructure, but this benefit is moot if students forget their passwords and can’t login. Federating Office 365 with a local ADFS instance can allow SSO but this just pushes a ‘forgotten password’ scenario further back to the desktop login and still lacks stronger two-factor authentication or self-service password reset options.” Browinski continues, “Swapping PortalGuard in place of ADFS in this architecture can provide standards-based web SSO and highly flexible SSPR from a single, tightly integrated, brandable, login interface.”

 

Using PortalGuard’s SSPR, students and faculty are given the power to reset their passwords from the web or desktop, reducing help desk calls and increasing ROI. SSO streamlines the login and reduces the barriers to access; with just a single login, the students and faculty gain access to all of their authorized applications, including: Blackboard, Moodle, Canvas, Banner, Google Apps, and Office 365.

 

PortalGuard provides you with the level of identity management your campus needs. Click here to learn more about PortalGuard®’s seamless integration for Office 365 and other education applications or visit our Education Page here.

Press Release: Strengthening Web Authentication, Without Overcorrecting

PKlaunch 1

CLICK to View Video

BEDFORD, NH–(Marketwired – Jun 3, 2014) – Today, PistolStar, Inc. announced immediate availability of PortalGuard’s newest solution, PassiveKey. PortalGuard’s PassiveKey is a customer driven response to deliver the latest in innovative identity solutions. PassiveKey transparently enables two-factor authentication while allowing the user to login with the familiar username/password approach. This simultaneously strengthens authentication and eliminates the need for end-user training.

“Many think the correlation between strong security and identity logins is an unavoidable inconvenience to the end user. With PassiveKey, you can strengthen identity logins without ever impacting the end user,” says Thomas Hoey, founder and CEO of PistolStar, Inc. “Increasing security can be accomplished with many different second factor methods, but most stifle usability, negatively impacting the end user,” Hoey says. “Answering the need for both security and usability, PassiveKey cuts through all the hassle of second factors without ever compromising strong identity security.”

 

bannerblock_passivekey

 

With PassiveKey enrolled on a user’s device, the user logs into the protected account like they normally would with their password while PassiveKey transparently generates and transmits a one-time token which is validated by the PortalGuard server based on a shared secret between the two. “It is clear that it is no longer enough to protect private information with just a password,” Hoey continues. “Authenticating the user today must be more than just a user’s password, but the login process must be as easy as using just a password.” Revolutionizing logins, PassiveKey is restoring the balance between security and usability.

For more details or a free demo of PassiveKey, visit the product page here.

To see our PassiveKey video click here.

About PistolStar, Inc.
PistolStar, Inc. was founded in 1999 and is located in Bedford, NH and provides multiple services through PortalGuard. PortalGuard is Your Ideal Identity Solutions Experience, providing dedicated services, innovative solutions, and proven value. For more information, visit our website.

Honesty is the Best Policy: Passwords, IT Security Professionals, and Llamas!

Toothbrush

 

Well, the truth is that many organizations are just not enforcing the basics of Password Best Policies (PBP), never mind investing and enforcing stronger identity security. With much emphasis on ROI, the truth is IT Security Professionals make the dangerous decision to purchase the minimal authentication solution just to have “something” in place. And the truth about Llamas is never tick-off a Llama; they spit when provoked or threatened!

 

Passwords are precious things and have lost their importance in the eyes of the public. According to Teri Robison’s article, Study: Security pros still grappling with lax password policies, on SC magazine, “respondents to Lieberman Software’s ‘2014 Information Security Survey’ saying that they can still access systems at a previous place of employment by using old credentials. Disturbingly, in some cases, the report found, they can even access the systems of two or more employers.” A good place to start would be PBP, but sadly, Robison states that the 2014 Information Security Survey reports “quite a few respondents — nearly one in four — say their organizations don’t change their service and process account passwords within 90 days, which is recommended by most mandatory regulations.” This is staggering, and I believe there is a Llama spitting somewhere right now.

 

Also in the article, Robison quotes Lieberman stating, “’it’s astonishingly common’ in corporate and government networks for the administrator passwords . . . ‘to be shared across multiple systems, remain unchanged for extended periods of time, and be used without any access control or audit records.’” It goes without saying this is an unacceptable policy . . . anywhere!

 

With all the breaches in security you would think the lesson would be learned indirectly and companies would prioritize authentication security . But truth be told, Robison also quotes Lieberman stating, “a breach ups interest in investing in security, but not for long . . . with a ‘half-life mentality’ companies loosen the purse strings in the wake of a data breach, ‘diminishing back to basic security after a few months,’” a sad truth to be sure.

 

In closing, it is a no brainer that Passwords must be stronger and PBP awareness shared, IT Security Professionals must invest in a solution that increases ROI, and stronger security means commitment!

 

So go ahead! Invest . . . the Llamas won’t mind.

 

 

 

Source:

http://www.scmagazine.com/study-security-pros-still-grappling-with-lax-password-policies/article/348888/2/

Google Removes Ad Scanning for Apps within Education for Good

Google Logo 2010

Recently, Google made an announcement via their blog stating they will be permanently removing any form of ad scanning for applications associated with education users. Google was quick to point out that they never intended to collect data in education based Apps, and in the past, an Admin on campus would have had to enable the ad scanning. However, even if the admin had enabled ad scan, it will no longer be enabled within their environment.

To give you a brief overview of the ad scan, it is a blind algorithm that Google uses to scan your email and usage to provide you with more targeted advertisements based on your information.

 The new Google policy is as follows:

“Google Apps for Education services do not collect or use student data for advertising purposes or create advertising profiles.

Gmail for consumers and Google Apps for Education users runs on the same infrastructure, which helps us deliver high performance, reliability and security to all of our users. However, Google Apps is a separate offering that provides additional security, administrative and archiving controls for education, business and government customers.

Like many email providers, we do scanning in Gmail to keep our customers secure and to improve their product experience. In Gmail for Google Apps for Education, this includes virus and spam protection, spell check, relevant search results and features like Priority Inbox and auto-detection of calendar events.  Scanning to provide product features is done on all incoming emails and is 100% automated. We do NOT scan Google Apps for Education emails for advertising purposes.

Additionally, we do not collect or use any information stored in Apps for Education users’ Google Drive or Docs (or Sheets, Slides, Drawings, Forms) for any advertising purposes”

Great news for business based Google Apps users too: this policy will be carried over to these Apps in the near future. Google was quick to point out that it had permanently disabled this feature on all logged in K-12 users last year.

Source: http://time.com/82705/student-pass-google-junks-gmail-ad-scanning-for-student-accounts/#