Cybersecurity Climate Only Getting Worse

The heat is rising fast in the cybersecurity world. At a recent conference in Phoenix, AZ, we saw how the industry’s top hackers and defense experts team up to fight an ever-increasing number of invasion attempts from bad actors around the world. Visiting a cybersecurity war room really opened our eyes.

We were ushered into a huge room, full of screens that hackers and defenders used to monitor traffic. This link, which shows the origins of constant firewall attacks from all around the world, made a huge impression on me. The attacks were detected because they had an invalid format or invalid character. It meant that the hackers probably forgot to change the language they were using to launch the attack.

My takeaway is that if hackers get smarter or pay more attention to details, they can become more lethal. They can use AI (artificial intelligence) to eliminate the need to know English, and that’s scary. For example, as we saw, they can use Chat GPT to create malware with a specific task. It’s only going to get worse as we hit the holiday shopping season.

Helping a client deal with an email hack brought home all the dangers. They thought they had an email hack, which resulted in emails going to their contacts under the guise of coming from them about file sharing in Dropbox. They thought they had it fixed, but the same problem cropped up two weeks later. It had a link to click (always a danger sign when the recipient “trusts” the sender).

As we got into the process of fixing the hack, it involved an apple.com account with a reference to Dropbox. Our efforts were hampered by the difficulty we had getting into accounts to verify that the hackers were using Dropbox to launch bogus email.

Our client could have just ignored the problem, or they could have sent an email to their entire contact list to warn them not to open emails with the Dropbox reference. But my preference and theirs was to get to the root of the problem. You have to know where all the dots and connections are so that you can get ahead of the hackers and shut them out.

We can help you stay secure by auditing your cybersecurity practices and implementing programs to strengthen your defenses. Call us – 973-433-6676 – or email us to discuss your cybersecurity and gain more peace of mind.

New Device, Same You, New Problem

You’re still the same person you always were, but when you get a new device, you’re a different person as far as some login procedures are concerned. You need to get back to basics in setting up account access. It’s a more acute problem as we do more work outside the office.

We recently got a call from a client who had trouble logging into a work system through a VPN with two-factor authentication (2FA). Nobody had changed any of the login information, so it was all baffling until the client mentioned they had a new phone.

Another client called because they couldn’t get into their email. Again, they had a new phone.

These incidents highlight the good and the bad of multiple authentication steps. The good is that they’re based on the device being used to verify the right of the person to access an account. That means a hacker halfway around the world can’t use their computer to get in. The bad is that you have to take the time to reconfigure all your access info. (Hey, we’re really sorry for the inconvenience.)

Because both cases involved clients with new cell phones, we had to invalidate their old cell phones. We registered one client as a new user and registered a new cell phone number for the other. These are essential steps everyone needs to remember to take as you get new devices.

And because all the 2FA steps in common use are tied to devices, it’s a good idea to make sure your devices require some extra steps to unlock them. Many people use a four- or six-digit PIN, and more people are going to biometrics. While nothing is impossible, even if someone knows your online login info and has your device, they can’t access your accounts if they can’t unlock the device.

If you or your employees are getting new devices, we can help you make sure that they have access to email and online accounts and protect them from unauthorized users. The process isn’t difficult, but it does involve diligence to check all the boxes in the setup process. Call us – 973-433-6676 – or email us if you have questions or need help in going through the process.

The 2FA Police

Microsoft is enforcing requirements for 2FA (two-factor authentication) for many of its apps. The good news is that it protects your data better. The bad news is that you must use authenticator codes and messages. It’s time to ensure everyone in your office (or family for home users) is up to speed on using authenticators and other 2FA measures.

Microsoft’s Authenticator App gets downloaded onto your iPhone or Android phone and helps to verify it’s you when you log in to an online account using two-step or two-factor verification. It uses a second step, such as a code sent to your phone, to make it harder for others to break into your account. Two-step verification helps you use your accounts more securely because passwords can be forgotten, stolen, or compromised.

One common way to use the Authenticator app is through 2FA, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code. Options include:

  • Signing in by phone with a version of two-factor verification that lets you sign in without requiring a password. It uses your username and your mobile device with your fingerprint, face, or PIN.
  • Using a code generator for any other accounts that support authenticator apps.
  • Using it with any account that uses 2FA and supports the time-based one-time password (TOTP) standards.

Any organization can require using the Authenticator app to sign in and access its data and documents. Even if your username appears in the app, the account isn’t set up as a verification method until you complete the registration. The entire process can be done more efficiently with a mobile phone that can scan a QR code on a computer screen.

Remember that most authenticator apps still require a password in commercial use, and every user must know their password or risk being locked out. The consequences can be time-consuming and costly – if not fatal. Everyone should write their passwords on a piece of paper and store them in a safe place.

We had a case with a client who used a customized database that was never upgraded for 20 years. A former IT company did the last work on it. Nobody had the password to get into the account housing the database. They suggested calling the programmer, but the programmer had died. Nobody admitted to changing the password at any time. We spent a few hours trying to access the database to no avail. Finally, we called the former IT company, and they had a password for one file.

That was the password that worked, and we were able to perform the necessary work. But we can’t stop thinking about all the time – and money – that was wasted because nobody had a password.

In today’s world of hacking and cybercrime, it will become more and more challenging to try multiple passwords without severe consequences. It’s up to you to ensure that you and key employees have all your necessary passwords and 2FA to protect your data – and to insist that your employees have 2FA set up for their corporate login info.

We can help you ensure you have all the correct authentication and management systems. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.