Santa made a list and he checked it twice. Let’s find out who’s naughty and who’s nice!

 

Naughty List

Who is on the naughty list this year?

1. 1. Ransomware Attackers
   2. Bad Password Creators
   3. Uncommitted Remote Workers

Wondering why Ransomware Attackers take the number one spot on this year’s naughty list?

Ransomware is malicious software that poses a threat usually by denying you access to your data. The attacker demands a ransom from the victim, with the promise to restore access to their data upon payment (which rarely happens even if the victim pays the ransom).

In 2021, the estimate is that a ransomware attack will take place every 11 seconds. The total damage could reach $20 billion. To break that out, in 2019 the average cost per ransomware attack was $133,000. Imagine a 90% chance of someone holding a $133,000 ransom over you. This is happening all too often, and it is happening in the world of technology. No, thank you…. “SANTA”! (tattletale voice).

Though not in the same league as a ransomware attacker, bad password creators and uncommitted remote workers take second and third place on Santa’s list of naughtiness.

 

Passwords

Passwords provide the first line of defense against unauthorized access to your computer and personal (and your company’s) information. The stronger your password, the more protected your computer will be from the hackers and malicious attackers mentioned above. One of the most common ways that hackers break into computers is by guessing passwords.

Simple and commonly used passwords enable intruders to easily gain access and control of a computing device. If you want to be considered the ‘good’ worker that you are and to receive ALL of the toys and treats that you deserve this year, it is imperative you put thought into creating a unique and somewhat complex password. This not only protects you from having your personal information compromised, but your company will thank you too!

 

Casual Remote Workers

Casual remote workers, or in other words, remote workers who do not take company policies and procedures seriously, are the last of the naughties. With so many people now working from home, assailants have more opportunity to pull off an attack. There is a myriad of ways in which a remote worker can lessen the chances of a company being compromised; the below is a good place to start:

1. Brute force attack through the VPN

In a brute force attack, a hacker uses a rapid trial and error approach to guess the correct password, PIN, or encryption keys. It doesn’t require a lot of intellect or complex algorithms – it’s merely a guessing game. (Refer back to #2 on the list – create unique passwords!)

2.Command and Control via Phishing

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. (Take the time to really think about what you are being asked. Work with your IT team to learn how to identify a phishing email)

3.Bypass of Multi-Factor Authentication

Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. (When you are asked if you would like to set up multifactor authentication, the answer is always yes 😊)

 

Nice List

Who is on the nice list this year?

1. SysAdmins/IT Departments
2. IT leadership for navigating 2020
3. Leaders who allocated budget to team members over products

 

SysAdmins

In a simple definition, System Administrators fix computer server problems; they organize, install, and support an organization’s computer systems. This includes local area networks (LANs), wide area networks (WANs), network segments, intranets, and other data communication systems.

In a more accurate description of SysAdmins and your IT Department; they are super(wo)men! These individuals have always been deserving of appreciation from the surrounding departments and people in their lives, but 2020 has challenged the company’s IT departments to deliver even more, even faster. Expectations are that they continue making your company’s communication working seamlessly. In today’s world, they work tirelessly to ensure remote workers are set up to be efficient. They work hard to implement, teach, and manage policies and best practices for remote workers. Not only is your IT department on the nice list this year, but they also get to eat the cookie dough from the Christmas Cookie bowl too! Score!

 

IT Leadership

IT leadership is another group that made the nice list. When no one knows what is going on (and I do mean no one), people look to leadership for guidance and direction. The difficulties of leading a group of people and an organization have their own challenges in a “normal” year but when you’re working from a recipe that encompasses budget cuts, the need for innovation, navigating new working situations, and the increased pressure of diminishing cyberattacks, a “successful” outcome can be hard to measure.

The following challenges were top on the list for IT leadership this year:

• Cybersecurity
• Digital transformation
• Cloud computing
• Hiring
• Budget

Increased pressure to perform with drastically lower budgets has forced IT leaders to identify their very top priorities in order to allocate budgets appropriately. Nothing new here, leaders have done this since the beginning of time, but when you think your budget is one thing and it QUICKLY becomes another, this balancing act isn’t nearly as easy as it seems. To the leaders who opted to take care of their employees over buying the latest and greatest; thank you!! Your team noticed and MOST IMPORTANTLY, Santa noticed! You know what they say, “he knows if you’ve been bad or good so be good for goodness sake!!”

Happy Holidays to you and yours!

 

 

What are MFA, 2FA, and why do we need them?

 

 

“Something you know, something you have, something you are.”   This is stated by Multi-Factor Authentication enthusiasts all over the web. They are ways of identifying yourself for the purpose of gaining access to a system.  Examples of these would be your username/password combination, a OTP (One Time Password) sent be SMS or authenticator app, and biometrics.  2FA is of course a subset of MFA.  It uses two factors to authenticate your logon.  AND NO, USERNAME + PASSWORD ARE NOT TWO FACTORS.

Compared to single factor authentication, MFA ensures that your accounts are much better protected. “99.9% less likely to be compromised” is found on Microsoft based on their records of 99.9% of compromised accounts not using MFA.  This was stated by Alex Weinert, Director of Identity Security at Microsoft at a recent cyber security conference.

 

 

Perhaps even more disturbing is that there is ONLY AN 11% MFA ADOPTION RATE AMONG ENTERPRISE CLOUD USERS.  It’s not like we keep important data in our business emails.  We also don’t use these same emails as recovery addresses for other business related online accounts.  Joking aside, we are almost asking for security breaches.

 

Why aren’t you using Multi-factor Authentication?

We live in times where ransomware, social engineering, and other cyber attacks are on the rise.  By not utilizing multi-factor authentication, you are doing the equivalent of using 1-2-3-4-5 as your combination on your luggage.  Something almost as bad is re-using the same couple of passwords everywhere.  Your password expired?  Just update it from SecurePW1! to SecurePW2@ and it will meet complexity requirements and be super secure, right?

The practical issue with using very complicated passwords is that they are very difficult to remember by design.  This is where a password manager is very helpful.  You don’t want to be the person with a bunch of sticky notes on your monitor with login credentials written on them.

 

 

You can generate very secure passwords as seen in the LastPass example below, and store them in a vault.

 

 

Combined with a complicated password, using MFA will make it much harder for bad actors to impersonate you.  Most online services these days give the option of enabling multi-factor authentication.  Examples are business apps like Office 365, Google Apps/Gmail, your work’s VPN application, and even personal apps like your bank, Amazon, or Facebook offer this.  Your password manager is also a very good candidate to enable MFA.

 

How can you get started?

 

First, you need another factor for authentication.  Hardware devices such as RSA SecureID or Yubico’s YubiKey are good choices if you really want to take things seriously.  You can also just use an app.  Popular apps such as Google Authenticator, Microsoft Authenticator, Authy, and Lastpass Authenticator are all good examples.

Next, head over to your favorite application and log in.  Usually in the same place in the settings area where you would change a password, there should be an option to enable 2FA/MFA/2-step verification/etc.  While you’re at it, you should probably change your password if it isn’t complex or you haven’t done so in a while.

Just follow the instructions to enable MFA.  This will vary slightly depending on application.  In general, you’ll select your authenticator app or hardware key when prompted.  If using an authenticator app, you will need to scan a QR code to add that account.  Once you complete the setup, enjoy knowing that your security posture has been greatly improved.

Need help enabling MFA on your business applications such as Office 365 or your VPN client?  Contact us today.  Our friendly Zunesis engineers are here to help!