We’ve all seen it. That little warning in the bottom corner of the screen that your password is going to expire in ‘x’ days. And we’ve all done it. Well, I’ll just add one more digit to the count. Who cares anyway, right? Here’s the thing. It matters. A lot. In the past decade or so, I’ve seen every possible bad idea when it comes to passwords:
The Post-It note under the keyboard
The piece of paper taped to the wall
The ever popular “Password1” or “letmeinnow”
The feared ‘entire department uses the same password’
The password that never expires
Or, my personal favorite, the spreadsheet saved on the desktop that has the username and password of every single person, software and account in the company (mixed with your personal records, just to make it spicy!)
So why does it matter? Simply put, if your password is compromised then your kingdom is ripe for the ransacking. And with all the spillover between personal devices with work information on them, even a personal computer being compromised can spell big, big trouble for your employer. Once the levee has a crack in it, it’s just a matter of time before it comes crashing down.
Let’s walk through a couple of typical password based paths to a compromised system, then talk about ways to prevent it.
Scenario 1 – The Password Phish
The user gets an email claiming to be from Microsoft, telling them to enter or reset their password by clicking on a link.
The user follows the instructions and goes about their day.
The next day, all of the servers in the entire company get Crypto-locked, costing lost time, lost revenue and loss of client confidence.
Scenario 2 – The Brute Force
A piece of malicious software has been introduced to a work environment, allowing a ‘bot’ to access usernames.
That bot then runs automated scripts, attempting numerous password combinations until the pattern is learned and the system is compromised.
The next day, nobody knows anything has happened.
Silently, in the background, the entire computer network is scanned, company files are copied and removed and confidential emails are leaked to the market…or maybe it’s just crypto-locked. Or maybe, just maybe, it’s wiped out just for fun.
For the two scenarios outlined above, any the many others not mentioned, there are a few basic steps that can allow your IT department, accounting team and executives to sleep a bit better at night. Password Best Practices…are not as agreed upon as one might think. For years, the standard was ‘use complex passwords with at least 8 digits, upper case, lower case, alpha, numeric and add symbols’. And for years, user rebelled. The industry has shifted a bit with the emergence of new technology, so we find it best to have a ‘thinking’ approach to the problem, one that focuses on technology and the human aspect.
The best bet today involves 2FA, or two factor authentication. This means that anytime a user logs into an online resource or computer, they are required to enter their credentials and then also complete an external, physical confirmation. This is commonly done by replying to a text message or by entering a code they receive from outside the resource they are attempting to access.
The company should have ‘3 strikes’ rules in place for failed login attempts. Once the user (or nefarious bot) exceeds the allowed attempts, the account is locked and requires the user to contact the IT Department.
Eliminate any common or shared passwords in the .org.
Consider a random password generator and a secure password management system to remove the end user from the process. This means no more birthdays and puppy names will be used.
Consider password training for your employees. There are programs available that can run simulated phishing attacks, provide feedback on which users would have allowed an intrusion by their actions. Those programs also include online, customizable and interactive training for employees.
The best way to prevent an exposure is to prepare and avoid it. Consider talking with an experienced IT security provider that can help you anticipate, prepare for and prevent a cyber breach.
Back in January of 2020, we began to watch with wary interest as the news trickled out of China about their ‘local’ health incident. With the shrinking world and the expanding global economy, there were murmors around our office about what it might mean for us. Hindsight being what it is, those watercooler conversations with their hypothetical scenarios all seem pretty quaint now, as we enter into the dog days of summer with no end in sight to either the heat or the seemingly incessantly escalating predictions of doom. Like all our Oklahoma businesses, we had to grapple with the rapidly moving goal posts of public response. But, perhaps unlike many of our Oklahoma business neighbors, we were pre-positioned to thrive in the evolving American workforce. The week before Oklahoma Governor, Kevin Stitt, began rolling out lockdowns we had already initiated a full remote workforce shift. We knew that our client base of small and medium sided Oklahoma businesses would be required to shift to a remote workforce and we didn’t want to be hammered with calls and requests for remote worker setup while our team was still shuffling into position.
Some of our staff have been providing IT support for long enough to remember when remote work meant saving documents and emailing them to co-workers for review. A few of us have been providing IT support long enough to remember when mobile hotspots were still the ‘technology of the future’. But for many of our Oklahoma based IT Helpdesk Support Techs, a life without WI-FI, Highspeed connectivity and instant full-duplex communications over VOIP or live video streaming simply has never existed. The technology that we have sold and supported to Oklahoma small and medium sized businesses for so many years just meant that, with a few hours notice, our team was able to grab a few items from their offices and transition fully and seamlessly to our new ‘temporary’ work from home offices. Things moved so quickly. On Wednesday we were taking about the possibility of a remote work shift. That very next night we had a 7pm phone call with the team, went remote the next Friday and that was, let’s see…a lot of Mondays ago now.
Those first few weeks were a cacophony of urgent telephone calls for technology needs. Everything was urgent. Everything had to happen yesterday. In one sense, that’t just a normal day in Tulsa Oklahoma IT Managed Services Consulting. But, in a much more real sense, in this case it actually had to happen immediately. The urgency was real. Calls came into our Tulsa IT Helpdesk asking for:
– Expedited SSL VPN license purchase and configuration on Dell Sonicwalls
– Configuration of Sophos VPN connections
– Configuration of Remote Access on Macbooks and Macbook Pros
– Clarity on if they might still be able to run that Windows 7 laptop securely from home
– Ways to measure their workforce productivity
– In some cases, folks were literally taking their entire Levono or Dell Desktop computers home to use remotely over VPN.
– Clients got serious about IT Collaboration using tools like MS Teams or Zoom.
Some clients who had antiquated phone systems that had been ‘working’ with judicious application of duct tape and patience were finding themselves unable to scale their resources and have them work remotely. This meant several on the fly emergency phone system migrations. We found ourselves porting phone numbers, rolling out out Cloud Based VOIP Telephone solutions, shipping VOIP headsets around the country and configuring VOIP PBX routing from the business phone systems to apps installed on personal cell phones, whereby employess could use their personal or company owned cell phones but have the Office Phone system features including extension routing, call recording and cell phone number obscurity all in place.
Yes, that’s just a normal month in the Oklahoma IT Managed Service Provider industry. The difference was that this was all happening at once, across most of our outsourced IT client base. And as word got out, as it often does, that we were getting stuff done that the other folks couldn’t, the calls just kept coming. There were a few weeks where we just stopped looking at performance metrics. Everyone just kept their head down, kept swinging, kept pushing and kept providing the IT Support our clients needed. When the calls began to normalize, we found ourselves looking at a new IT landscape. Clients were beginning to see the power and the leverage that these remote workforce tools presented them with. The game is changing. The tools are more powerful than ever. Nomerel answered the call when COVID came calling, like, actually answered the phones and returned the emails. We got it done then and we are getting it done still. Give us a call and let us show you how we can help you leverage the tools out there to maximize your return and productivity.
The intent of a phishing email is for a user to click on a link that will execute malicious code on their computer or for the user to provide sensitive information, such as a username and password, through a fake form. Phishing emails may also attempt to look like they are coming from a legitimate company, such as Google or Facebook, or be written in a way to make the user feel like they must act quickly or something bad will happen like their account will be locked out or they won’t get paid on time. For example, a known phishing email will appear to come from Microsoft technical support with the heading “Unusual sign-in activity” and urging you to contact support immediately by clicking on a link.
In addition to clicking on a link or providing information, other common goals of phishing emails are for a user to call a fake customer service number, open a document that has macros, or even just simply replying to the email. Sophisticated phishing campaigns may have a working hotline that users will be tricked into calling and providing personal information. Phishing emails can also contain attachments, such as a Microsoft Word document that when you open it, a piece of code known as a macro automatically runs. While macros were designed as an additional feature, they can also be used with malicious intent. Finally, replying to an email confirms that address as active and as a target for future phishing campaigns.
Phishing campaigns are easy to initiate, do not require bad actors to be technologically capable, and are so common that in 2019 alone, Google blocked 100 million phishing emails intended for Gmail users.
A great defense against phishing emails is understanding how to spot them. Start with the email address of the sender and the subject line. Is it unfamiliar or contain spelling errors? Also, be aware that email addresses can be spoofed and look like they came from a legitimate source. Look at the body of the email next, is it asking for you to enter sensitive information or asking you to act quickly? If any part of the email looks suspicious, do not click on any link or reply to the email. Notify your IT department and they will guide you through the proper procedures defined in their policies.
Tell me if this sounds familiar. It’s Monday morning. Payroll is due this afternoon. Your field workers are still having that nagging email issue. There is noting ‘quick’ about your Quickbooks. You have no idea what PC Load Letter means, other than your office printer hasn’t delivered in 3 days. The shop has scanners that won’t scan. The warehouse can’t see the ‘shared’ drive and you are almost certain that you smell smoke coming from the server room.
That can mean either another costly repair or, perhaps, that productivity and morale have slid so low that Bob from your current IT operation is smoking on the job again.
When you started this business, things were not going to be like this. You didn’t need computers, servers, smart phones and wireless printers. It was just you, your handful of team members and your dreams. But today’s market place is all connected. You’ve got more email addresses now that you ever dreamed of. How can you make sure Tina in accounting sees the invoices but also not spam her with all the sales junk? You’ve heard something about a distribution group, but hearing about it and knowing how to set them up are two very different things.
Another beep from the closet.
Another nasty email from your supplier saying something about a whitelist. What is a whitelist again?
It’s not even 915 in the morning and already you can feel the ‘to-do’ list left over from last week rising like a tsunami to utterly bury you…again. You swore it wouldn’t be like this, just like you did the month before. There has go to be a better way. That’s where Nomerel comes in.
Nomerel offers Tulsa, Oklahoma based IT consulting. We install, service and support desktops, laptops, servers, email, printers and phone systems. We offer end to end IT service from live answering your IT helpdesk phone calls to comprehensive security audits and compliance. You don’t need to wrestle your email server, we can get you migrated to Microsoft Office 365. We can make your computers talk (nicely) to each other which has been known to allow your team mates to do the same. It doesn’t have to be this hard. As a matter of fact, you are really just a phone call away from being able to pass the baton to the IT professionals so you can focus on running your business. You remember. That dream you were chasing before a thousand IT issues tried to pull you under for good.
Our team of dedicated professionals are standing by to make your IT resources work for you, not the other way around.
Live answered, knowledgeable humans on the phone
24/7/365 system monitoring and alerts
Industry leading, best practice application of security, updates and patching
Machine Learning / AI protection for email, firewalls, networks, laptops, desktops and servers
Full Feature Telephone Options including cell phone integration, full time recording, voice to text transcription and all the other bells and whistles
Office 365 Migration and Support
Network Troubleshooting
Computer Repair and support
World Peace…or at least a secure platform to write about it and wish…
Before you spend another week chasing your tail or whacking moles, give us a call. Let us hear what you’ve got going on and see if we can put out the fires and get you back to doing what you do best.
Our Director of Security Services, Ann Hinkle will be conducting a webinar “Illuminating the Insider Threat in the Remote Workforce,” presented by North Texas InfraGard Members Alliance.
Recent Comments