Passwords’ Brave New World

While passwords need to go away, they won’t disappear overnight. So, we highly recommend you – and the internet world – follow some guidelines from the National Institute of Standards and Technology (NIST) in managing your online presence.

For individuals and small businesses, managing hundreds of passwords for all the websites and resources you need to access requires a concentrated effort. Every organization with which you interact online has to manage your password and everyone else’s. Website managers and administrators work hard to roll out security strategies, but piecemeal security strategies are ineffective and risky. There are too many cracks for passwords and other measures to fall through. Ad hoc strategies leave room for errors that could put customers’ data in jeopardy. This is where NIST comes into play and understanding what’s behind their guidelines can help you take some action for your online security. 

Part of the Department of Commerce, the NIST develops guidelines based on best practices from a diverse array of security organizations and publications. NIST guidelines are so well-respected that private sector organizations have adopted them to keep their entire infrastructures secure. They affect some of the requirements you get when creating your own passwords – which you need to follow because they are in response to newer, more powerful threats.

Here are some of the most important new guidelines that NIST has issued to those who provide the services that manage internet access. You can expect them to affect you.

  • Go long: The suggested minimum is 8 characters when a human sets a password and 6 when it’s set by automation. However, NIST encourages users to create passwords with 64 characters or more, including things like spaces and emojis. They’ll be harder to crack.
  • Remove reset requirements: As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords. Password strength should be about quality, not quantity—one excellent password is better than 10 new, mediocre ones. 
  • Keep it simple: How often have you created a new account, for a new application, online store, or digital news outlet, and encountered the prompt, “your password must contain one lowercase letter, one uppercase letter, one number, and one symbol”? Overly complex passwords can lead to poor password behavior, just as with frequent resets.
  • Be more user-friendly affair: The “show password while typing” is a rare option that can let you use longer, stronger passwords because you don’t have to remember all those gyrations you created. Another friendly option is to allow users to copy and paste passwords. Users who are allowed to copy and paste their passwords are more likely to create and store stronger, lengthier passwords within password managers than those who are forced to type out their password every single time. 
  • Go clueless: Knowledge-based authentication clues can save time, but with all the personal data available today, it’s easier than ever for hackers to decode hint prompts and breach systems.
  • Limit attempts: NIST password standards recommend providing users with a maximum of 10 login attempts before they are turned away. That should be enough to aid a forgetful user but not assist brute-force attackers. 
  • Go hands-free: SMS texting services should not be a part of any two-factor authentication (2FA) process. It isn’t entirely secure, enabling cybercriminals to insert malware that can redirect text messages and facilitate attacks against the mobile phone network. 

NIST standards and the guidelines listed above are important because newer, more powerful cyberthreats will always be deployed. As a user, you need to be aware of newer and better security options. We continue to advocate for biometrics and other measures that are unique to you – and only you – to allow access to your online world.

For most of us, a password manager that works across all the platforms you and your family or businesses use is still a strong defense against hackers. We like Dashlane because its paid version covers an unlimited number of website passwords across multiple devices. For those of you with the right technology, you can start to take advantage of other techniques to access your protected websites. Contact us by phone – 973-433-6676 – or email to discuss your needs and see how we can make you more secure.

Using Alternatives to Passwords

We have harped…and harped ad infinitum…about having strong passwords simply because those strings of upper- and lower-case letters, numbers and special characters offered the best chances of staying ahead of the hackers. But we’ve always reminded you that something better is needed because the bad guys have a vested interest in developing better systems to crack passwords and in finding more ways to exploit vulnerabilities in anybody’s electronic vaults that store vital personal and corporate info.

When one of our clients got hacked, we installed a password-less system to offer them better security. Our solution, which uses Microsoft Azure, is one of the emerging technologies to replace passwords with biometrics, one-time codes, hardware tokens and other multi-factor authentication options. What they do is exchange tokens and certificates without users – you, your employees and your customers – needing to remember anything. The new pathway to better protection even bypasses the password managers that many of you use.

IT industry figures show that more than 80 percent of security breaches involve stolen passwords and credentials. We all pick passwords that are too simple and easy to guess, or we store and reuse a few complex passwords that we can remember. That problem is exacerbated by forcing regular password changes even without evidence of breach. If password reset systems rely on people, they can be fooled by social engineering. Password-less technologies can combine certificates with contextual security policies that require less from you. They rely more on trusted devices and connections, and they can add layers of complexity as risks rise. New security can be based on the value of the content and factors such as user behavior, device location and connection, or the state of the device.

You can already set up password-less access using Microsoft’s Azure AD Conditional Access. Many of you who use our backup services already have Azure accounts, and you can use the technology to manage:

  • Sign-in risk to identify who’s signing in and determine who’s a risk.
  • Network location to determine if access is being attempted from a network location that is not under your control or the control of your IT department.
  • Device management for accessing cloud apps from a broad range of devices including mobile and personal devices.
  • Client application to manage cloud access using different app types, such as web-based, mobile, or desktop.

There are some cross-platform technologies available for going password-less, but it all starts with the Microsoft Authenticator app. It uses key-based authentication to create a user credential that’s tied to a device and uses a PIN or biometric. Instead of using a password to sign in, users see a number code to enter into the Authenticator app, where they have to enter their PIN or provide a biometric.

Password-less sign-in for Microsoft accounts with the Microsoft Authenticator app is already available, and support for signing into Azure AD is now in public preview. Right now, the app can only cover a single account registered with Azure AD in one tenant, but support for multiple accounts is planned in the future. It covers Office 365 and Azure and works with a variety of other apps.

If you’re ready to go password-less, we can help you decide what’s right for you and set up your accounts and devices. Just give us a call – 973-433-6676 – or email us to set up an appointment.

Hack Attack Continues vs. Businesses and People

While government-sponsored hacking and disinformation makes big news, don’t take your eye your eye off the ball when it comes to protecting your personal and corporate data. A report from a consulting firm, Positive Technologies, painted a dark, dark picture, saying the second quarter of 2018 showed a 47 percent increase over 2017. You need to remain vigilant, even when events are beyond your control. Nobody is immune.

As reported in Tech Republic, Positive Technologies said the most common methods of cyberattack are:

  • Malware (49%), with spyware or remote administration malware being the most widely used forms of infection.
  • Social engineering (25%) is the term for manipulating users into believing a message, link, or attachment is from a trusted source, and then infecting targeted systems with malware, stealing money, or accessing confidential information.
  • Hacking (21%) exploits vulnerabilities in software and hardware, causing the most damage to governments, banks, and cryptocurrency platforms.
  • Credential compromise (19%) targets password managers used for storing and keeping track of passwords.
  • Web attacks (18%) are online racketeering attempts to extort website operators for profit, sometimes by threatening to steal client databases or shut down the website.
  • DDoS (5%) tends to be the weapon of choice for business rivals, disgruntled clients, and hacktivists. Political events can drive attacks on government institutions. Criminals can use DDoS attacks to take websites offline and demand payment from the victims.

Attacks can be made in tandem, such as the common duo of using phishing emails to trick users into downloading malware.

Financial and healthcare institutions, retailers, and government databases remain prime targets, but higher education institutions and even school districts are being attacked. Wired reports that this past March, the Department of Justice indicted nine Iranian hackers in alleged attacks on 144 US universities and 176 in 21 other countries. They were also cited for attacking 47 private companies.

Hackers are homing in on the money. Positive Technologies said targeted attacks are outnumbering mass campaigns, with attacks directed at companies and their clients, as well as cryptocurrency exchanges. Data theft is driving an increasing number of attacks, with many criminals seeking personal data (30%), credentials (22%), and payment card information (15%). To steal this data, hackers are compromising online platforms, including e-commerce websites, online ticketing systems, and hotel booking sites.

The scary part for us is the report you can never be sure that criminals don’t have your credit card number from one source or another. Even a brand-new smartphone in a store can have pre-installed malware.

People and businesses can take steps to keep their data safe by installing updates for operating systems and application software and installing antivirus protection on all systems and endpoints and keeping it up to date.

Businesses can encrypt all sensitive information, perform regular backups, minimize the privileges of users and services as much as possible, and use two-factor authentication. Enforcing a password policy with strict length and complexity requirements, and requiring password changes every 90 days, can also help protect systems.

We offer security audits for businesses, and we can answer any questions individuals have about protecting themselves from cyberattacks. Call us – 973-433-6676 – or email us to set up an appointment.

Updating Your Cloud Strategy

We hear all about the cloud without end. For large corporations and individuals, using the cloud is a nearly flawless solution for storing and accessing apps and data from anywhere. But for small businesses, exclusive reliance on the cloud may not be the best solution. Here are some decision-making factors.

First, for all their differences in size, a huge corporation and an individual have a few things in common. Individuals and corporate employees can travel anywhere in the world and need to access apps and data wherever they are. The cloud works really well for this.

Although they operate on totally different levels, subscription-based apps such as Office 365 work really well for individuals and large corporations. Individuals can share the cost over a large user base, enabling each to benefit from constant upgrades that app publishers can update from central locations. Large corporations essentially do the same thing within their communities. They spread their cost over many users, and their tech teams control the software-update process to keep operations running as smoothly as possible.

A small business is different in one significant way. It’s essentially a self-contained community of users who use the same apps and data in one location. Yes, that business may have employees who log in ‘from remote locations, and yes, it may benefit from subscription-based application software. But we are likely talking about 10 to 100 people who are working with the same apps and data in a “bubble” known as the office. While small businesses combine to form a huge user base, each has its own specific needs, and our clients rely on us to customize systems to meet specific needs.

Therefore, the cloud may not be the solution, especially if you are a small business still working with a combination of a Windows 7 operating system and a Windows 2008 server, either in your office or in the cloud. We’re approaching a perfect storm with that combination because by January 2020, Windows will no longer support that OS and server platform. They’re too old and expensive for Microsoft to develop performance upgrades and security patches. You are being brought to a decision point.

We recommend that small businesses look at a cost/benefit analysis that covers five years to determine whether you upgrade your OS and server or migrate to the cloud. Five years is a good projected lifetime for a server and OS, it makes it easier to compare their cost with setting up and using a cloud-based system.

Setting up a server on the cloud involves costs, including the cost of server space and the cost to set it up to meet your needs. Once that’s done, your maintenance cost should be minimal. If your business runs Office 365, you already have a cloud presence through Azure, Microsoft’s cloud system. And while Azure automatically updates its server, it’s still a maintenance operation. All cloud servers need maintenance, and it’s something you pay for as part of your agreement.

Of course, using a cloud-based server requires access to a good internet connection, one with sufficient bandwidth for your needs and virtually perfect reliability. If you don’t have the bandwidth, your business won’t operate at its desired level. If your service goes down, you’re out of business until it’s restored.

If your computing needs are largely internal, you might be better served with your own server on a strong internal network, which can be hard-wired for better performance and security than a Wi-Fi network. You’ll incur purchase and set-up costs for your server, and you’ll need to install all updates in a timely manner. But your maintenance expenses should be relatively low once you’re up and running.

By setting up computers as terminals on a server and hard-wiring the network, you won’t need a router system or a big pipeline to the internet. You’ll also have fewer internet access points to secure, and that could help keep out intruders. Finally, depending on your employees, they’ll likely be less likely to wander off to other things on the internet.

Whichever way you go, you will have the most up-to-date servers, application software and security technology available at the time of installation. Cloud systems will update automatically, but your internal system can be configured to download and install updates.

With a January 2020 deadline, you have time to analyze your options and start moving along your chosen migration plan. We can help you analyze your business’s needs over the next five years and put a plan into action so you don’t miss a deadline or a beat. Call us – 973-433-6676 – or email us for an appointment.

Hello, New Security Technology

Passwords are on the verge of becoming extinct, and for many people, the passing of passwords will be like getting rid of a migraine. With the latest Windows 10 major update from Microsoft, your computers and devices may now say “hello” to you to access Microsoft accounts, and additional security measures may now work together better with smart devices. Facial recognition is playing a big role.

Security is more important than anything in today’s world, and hackers keep cyber defenders back on their heels in many instances. Our message continues to be that you need to harden your security measures while you have control of your computer, device, network, etc. If you wait until it controls you, it can cost you a lot of time, money and aggravation.

Combining facial recognition with another authentication factor is one element of Hello, which is available on certain computers with Windows 10 installed. It replaces a password with biometrics to authenticate secure access to devices, apps, online services and networks with a fingerprint, iris scan or facial recognition. It’s considered to be more user friendly, secure and reliable than traditional passwords, which are easy to crack because most people use simple ones they can remember or leave written notes in easy-to-find places.

You can authenticate a Microsoft account or a non-Microsoft service that supports Fast Identity Online (FIDO) by setting up a facial scan, iris scan or fingerprint to log into a device. Hello uses 3D-structured light to create a model of someone’s face and then uses anti-spoofing techniques to limit the success of people creating a fake head or mask to spoof the system. Once you set up your initial scan, the image will enable you to unlock access to Microsoft accounts, core applications and third-party applications that use the system. You can modify facial and iris scans, and add or remove additional fingerprints, and you can uninstall biometric identification.

Microsoft has updated Hello to support new security keys and offers two-factor authentication. There are keys to authenticate users for Azure Active Directory without requiring that a user enter a username or password, or even set-up Windows Hello beforehand. Technology advances could include authentication through a smartphone, but don’t expect any of those to involve text messages. Your cell phone number can be easily highjacked, and a perpetrator can simply have all of your passwords sent somewhere else without you ever knowing about it.

Windows’ latest update, version 1809, which is being pushed out this month, will increase the number of computers able to use Hello, and that will certainly help expand its user base – which, in turn, will spur more development of more ways to use it.

Microsoft is working with a growing number of service providers and device manufacturers to give its users a more seamless method to authenticate multiple accounts. Ultimately, the industry needs to tighten its false rejection rates and “liveness detection,” which ensures that the scan is that of a living person.

We’re confident that use of these new systems, such as Hello, will make us more secure, especially for business systems. We still see so many offices with passwords attached to computer monitors. Hello will go a long way to eliminating this particular potential for security breaches.

If you have computers that can work with Hello, we urge you to take a close look at implementing it. If you have questions about getting computers that are compatible with Hello or will be, we can help you set it up or prepare you to set it up. In the meantime, we can perform a security assessment to make sure your information technology system has no open backdoors or trapdoors that can allow access. This can be especially important, as one client discovered after they bought a company and started to merge IT systems.

Call us – 973-433-6676 – or email us to talk about your security.

Windows 7 Support Ends in January 2020

Here’s our first warning: Microsoft will end technical support of its Windows 7 operating system in January 2020. That means there will be no more security patches and bug fixes. Is that bad news? Probably not. Performance-wise, the operating system has outlived its usefulness, and all the special applications and hardware you run off it are probably well beyond their useful service life. We’d bet you’ve likely squeezed out every penny of your ROI, and Microsoft is doing you a favor (of sorts) by nudging you into its next generation OS.

The good news is that you have lots of time to plan for its replacement, and that’s important for businesses who have invested a lot of time, training and money for custom-written or highly customized software. If that’s the case for your business, you have my sympathies, but you should also know you’ve had a really good run.

We’ll talk more about the economics of performance issues in this newsletter (Refreshing Devices Re-Energizes Them – Up to a Point), but if you’re still running Windows 7, you face security issues and the need to carefully plan how you’ll replace your application software.

The loss of security patches and bug fixes will be devastating if you don’t update your technology. Because Windows 7 is an old OS, the bad guys have had lots of time to probe its vulnerabilities. Once the defenses go down, their efforts to crack a system that they can monetize will pick up. They’ll look for ways to get your financial information or disrupt your operations.

We suggest you start your transition planning now. If you have custom-written (proprietary) software, you must find out now if that software can be updated or rewritten. If it can be brought up to date to carry you into the future, your provider will need time to modify or create and test the software, and you’ll need to know how much computing power you’ll need to make it work.

We can help you look at the computer specs needed to meet your processing requirements, and we can work with your software provider to make sure hardware and software are coordinated. Microsoft is planning a massive Windows 10 update this month, and it’s reasonable to expect another update if you plan to have your new system up and running before the end of 2019. Working together, we’ll have the best chance to make sure that your new application software is compatible with the OS updates and that it will work throughout the lifetime of Windows 10 and its successor.

If you’re upgrading your software to work with Windows 10, we can’t encourage you enough to upgrade your hardware, especially if your current hardware is way below current standards. The new OS and application software will be written to work with most up-to-date and most-likely-to-be-improved processors. If you match your hardware and software systems properly, you’ll get performance levels that have the capability to make your business more efficient and profitable for a longer time.

This will move you into a new realm of business and technology management. Once we know how all the ideal pieces should fit together, we can help you budget for your transition – which could be spread out over 18 months or so. We can help you bring in new computers in stages that match your software development, so that you and your employees can test systems and offer feedback to all of your providers.

With proper budgeting, scheduling, testing and training throughout the process, we can help you coordinate all the steps involved so that we can install your system and have all employees trained on their new hardware and software with minimal – if any – downtime.

It’s not too early to start the conversation. Call us – 973-433-6676 – or email us to set up an appointment to discuss your migration from Windows 7.

Refreshing Devices Re-Energizes Them – Up to a Point

Refreshing your computers, peripherals and devices requires you to take a long pause, but in the end, it still might leave you thirsting for better results. If you’re hanging onto old equipment, Tech Data reports a few facts that might make you change your mind.

First of all, the report says, some 46 million small and medium-size businesses rely on devices dating back to 2014. That’s approaching five years, and that can be a lifetime in technology. Second, repair costs for equipment four years old or more can be 1.5 times the cost of repairing newer technology. Finally, PCs older than four years can be less than half as productive – costing an average loss of productivity rate of $1,260, according to an internal study by Microsoft.

Microsoft, which is phasing out Windows 7 because of its increasing inefficiency (Windows 7 Support Ends in January 2020), certainly has an interest in seeing you buy new computers with their operating systems. But they also know that the more efficient and productive their customers are, the more likely they’ll continue to use Microsoft software.

So, with that last point out there, what are your considerations for refreshing or replacing a computer? If you’re running Windows 7, we see replacement as a no-brainer. One client engagement illustrates how extreme it can get. We were tasked with refreshing a 10-year-old computer to get it to run better, which we did at a cost of $200 or so – after we advised our client to replace it. Refreshing, in this case, meant reinstalling software and updating it as much as possible. A 10-year-old computer cannot run the latest versions of Windows or any application software, and you cannot install the latest, most secure browser software. If we had installed a new hard drive and added licensing fees and our setup time, it would have been about $570. A new computer would have been around $800 plus some setup time to properly install the operating system and applications and transfer some data files.

With that as background, let’s delve more into a cost-benefit analysis.

Performance: Older PCs, according to Tech Data, can only run approximately five applications simultaneously without performance degradation, while newer PCs can easily run eight or more, according to a 2016 study. On the other hand, new Windows 10 Pro devices with 7th and 8th generation Intel® vPro™ processors keep users more productive with up to 25 percent more time efficiency. They are also up to 28 percent faster for startup on average compared to Windows 7. Batteries can last up to three times longer on newer Windows devices.

Repairs: We mentioned early on that repairs can cost 1.5 times more for older computers than for newer computers. Some of that extra cost can come from more time to find parts. Generally speaking, older parts are scarcer and more expensive.

Security: We’ve harped on security, and here’s something to add: More than 50 percent of smaller businesses have suffered a data breach or cyberattack with the cost averaging more than $84,000 per breach. Older Windows devices are likelier to lack the latest hardware and software security features, putting data at risk. When you factor in the fact that small-business customers are prime targets for security breaches, you can be looking at costly recovery.   Upgrading to a computer that can run Windows 10 Pro will give you more built-in defenses and increased support for the lifetime of your device.

To translate all this into an action plan, we recommend refreshing and some component replacement for computers three years old or younger. For older computers, especially those running Windows 7, we recommend replacement. Business users will benefit from improved performance and security, and home users will benefit from better security. Call us – 973-433-6676 – or email us to discuss your refresh/replacement needs.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.