Internet Security

Internet Security – Two-Factor Authentication: Why & How You Should Use it

Conventional wisdom about passwords is shifting, as they are increasingly seen as a less-than-ideal internet security measure for securing digital accounts. Even the recommended rules for creating strong passwords were recently thrown out the window. Average users are just too unreliable to regularly create secure passwords that are different across all accounts, so using technology to augment this traditional internet security is imperative.

From online banking to email to cloud-based file storage, much of our high-value information is in danger if a hacker gains access to our most frequently visited sites and accounts. That’s where two-factor authentication comes in.

Two-factor authentication (2FA) adds an extra layer of security to your basic login procedure. When logging into an account, the password is a single factor of authentication, and requiring a second factor to prove you are who you say you are is an added layer of security. Each layer of security that you add, exponentially increases protection from unauthorized access.

Three categories of two-factor authentication:
  1. Something you know, such as a password.
  2. Something you have, such as an ID card, or a mobile phone.
  3. Something you are, a biometric factor such as a fingerprint.

The two factors required should come from two different categories. Often, the second factor after entering a password is a requirement to enter an auto-generated PIN code that has been texted to your mobile phone. This combines two different types of knowledge: something you know (your password) and something you have (your mobile phone to receive a code in SMS text or code from a 2FA app).

Protect accounts with an extra layer of security

Popular social media sites, including Twitter, Facebook, Instagram and Pinterest, have added 2FA to help protect users. In addition, you may have noticed that services from companies such as Apple, Google and Amazon will notify you via email each time you log in from a different device or location.

While 2FA from an SMS text message is popular and much more secure than a password alone, it is one of the weaker types of 2FA. This is because it’s relatively easy for an attacker to gain access to your SMS texts. When you log in to your account and it prompts for a SMS code, the website then sends the code to a service provider and then that goes to your phone.

This is not as secure as everyone thinks, because the phone number is the weakest link in the process. If a criminal wanted to steal your phone number and transfer it to a different SIM card, they would only need to provide an address, the last four digits of your social security number, and maybe a credit card number.

This is exactly the type of data that is leaked in large database breaches, a tactic to which most Americans have fallen victim at some point or another. Once the attacker has changed your phone number to their SIM card, they essentially have your number and receive all your texts, thus compromising the SMS 2FA.

Many people are guilty of using weak passwords or the same login information across several accounts, and if this sounds like you, we recommend that you use authenticator apps such as Google Authenticator and Authy. These apps are widely supported and easy to setup.

Simply go to the “account settings” section on the site you want to enable. There should be an option for 2FA if it is supported. Use the app on your phone to scan the QR code and, just like that, it’s configured to give you easy six-digit encrypted passwords that expire every 30 seconds.

What happens when you’re not using sites that have 2FA enabled? Quite simply, security is not as tight and there’s a higher risk of a hacker gaining access to your accounts. Depending on what is stored, your credit card information, home address, or other sensitive data could be stolen and used to commit fraud or sold on the DarkWeb.

And until passwords are put to death completely, be sure to heed a few safety tips from Gary Hayslip, Webroot CISO, in addition to using two-factor authentication:

“Change passwords periodically, do not recycle passwords, don’t use the same password for your social media account and your bank account, and finally store your passwords in a safe place. Consider using some type of password vault program, avoid keeping passwords on a Post-it note under your keyboard, on your monitor or in a drawer near your computer.” – Webroot CISO Gary Hayslip

—————————————————————————
This article was provided by our service partner : webroot.com
Internet Security

Internet Security : 10 Fundamentals to Fight Breach Fatigue

You don’t have to spend a lot of years in internet security to experience a phenomenon that’s been dubbed breach fatigue: the tendency to get tired of hearing about data security breaches. Breach fatigue can affect people differently based on their professional roles. For IT managers at smaller companies, breach fatigue can lead to a “why bother?” attitude. After all, if a major bank that spends hundreds of millions of dollars a year on internet security can still get hacked, is there any hope for small to midsize businesses?

Unfortunately for MSPs, attitudes like that can undermine your efforts to sell security products and services, so it is important to be ready with a response to this rebuttal. For example, I would say: “Your chances of surviving a cyberattack are actually quite high IF you’ve taken care of the fundamentals.” Before I describe those fundamentals, let me explain why I am confident in that statement.

First, I should note that each time a new data breach makes headlines, it adds to the workload for security researchers. Why? Because we want to find out how that breach happened so we can tell people how to avoid succumbing to the same type of attack. Unfortunately, it can take days or weeks, sometimes even years before we get the full story (which often differs from the first reports of the event).

Remember when JPMorgan Chase suffered what prosecutors later described as “the largest theft of customer data from a US financial institution in history”? When the news of that breach first got out, there was talk of a sophisticated nation state attack, even Russian involvement. We later learned that, although the bank had very sensibly installed two-factor authentication on its servers, it had missed one. That one server was how the hackers, con artists not a nation state, got in.

More recently we learned that an even more shocking breach – Equifax – was due to a failure to patch a well-publicized vulnerability (the congressional testimony of the Equifax CEO, who stepped down in the wake of the breach, suggested that the responsibility for patching rested with one person, who apparently slipped up). Back when Target was breached, internet security alarm bells were ignored and people failed to notice plaintext files full of credit card data being shipped to unapproved FTP servers in Russia.

The overarching theme here is that taking proper care of the fundamentals I’m about to discuss would have stopped many big-name breaches from happening. The good news for smaller companies is that they are likely to have fewer servers to watch over, fewer rogue projects flying under the radar, and simpler data flows to monitor.

So here is my pick of 10 fundamentals which, when properly managed, will go a long way in thwarting the bad guys:

  • 1. Timely patching of vulnerabilities
  • 2. Endpoint protection on all endpoints, including servers, at all times
  • 3. Encryption of data at rest
  • 4. Multi-factor authentication on all remote access, RDP, etc.
  • 5. Network segmentation
  • 6. Network monitoring / data loss prevention
  • 7. Removable media controls
  • 8. Backup and recovery plan
  • 9. Incident response plan
  • 10. Employee security awareness

To do all this, you must have a secure and dedicated internet provider for your business like EATEL Business Managed Wi-Fi. Yes, that’s a lot of work, but if you get it done, your odds of both avoiding and surviving breaches will improve greatly.


This article was provided by our service partner: ESET.

Microsoft

Four Pillars of the Modern Partner Creating Thriving Cloud Business

 

Guest Author: Matt Morris – Matt Morris is a Partner Technical Strategist & Cloud Business guru in the One Commercial Partner group, where he leads technical sales readiness, and strategy for one of Microsoft’s largest distribution partners. Prior to his current role, Matt worked in enterprise technology sales, software development, and solution architecture roles at Microsoft and other technology firms. He has experience with mid-market and large enterprise organizations across a variety of industries as well as the public sector. He helps customers understand and implement high innovation and transformational technology solutions in the areas of analytics, cloud computing, and developer tools and platforms.

According to IDC, by 2020 IT cloud services revenue will exceed $500 billion. As a part of Microsoft’s One Commercial Partner organization, I know firsthand both the tremendous opportunity cloud computing presents our partners and the complexity that opportunity can pose. So, as you prepare to join us at IT Nation, I want to share a series of cross-industry partner resources that will help you evaluate the benefits and risks of cloud computing, and provide best practices to help you successfully transform your business to capture the largest possible share of those dollars.

 

Is the cloud right for my business?

Nearly 80% of customers are deploying or fully embracing cloud technology today, according to IDC. It’s clear many clients are hungry for the cost-savings and flexibility the cloud can provide, but finding the right pace and model for cloud adoption is challenging for many partners. In The Booming Cloud Opportunity, IDC analyzes the scope of the opportunity and how you can take advantage.

How do I grow my business with the cloud?

No one knows your clients like you do. Your hard-earned expertise solving clients’ challenges is the perfect foundation for a cloud-based practice. You know the solutions your clients want, without compromising their security or increasing long-term costs. More importantly, your clients chose you for a reason. Whether you’ve mastered a particular technology, specific vertical, or business process – your unique expertise can be scaled with cloud solutions to make you more profitable. Whether you’re looking to start gently with an SaaS solutions like Office 365™, or to dive into IaaS or PaaS with Azure™, evaluate your revenue potential with your Office 365 Revenue Modeling Tool or check out the eBook, Differentiate to Stand Out.

Will I need to change my sales & marketing for cloud solutions?

The next challenge is communicating the unique value you offer, particularly when 65% of B2B purchase decisions are made before ever engaging sales. The Modernizing Sales and Marketing Guide distills the best practices other successful partners have implemented. From developing a listening culture and understanding the customer journey, to building the right marketing assets to communicate how you solve customers’ real business challenges, this guide will help you grow your practice.

Am I ready to expand my practice into the cloud?

Changing your business model seems risky, even when you know that it’s critical to long-term success. So, before deciding to wait a little longer, see what it would take to get started. Some cloud services, like Office 365, can be implemented quickly and painlessly. If you have cautious clients, expanding into a hybrid blend of on-premise and cloud solutions might fit. The key is to create a strategy that allows you to leverage easily deployed cloud components to drive services revenue today, while developing your own specialized solutions to turn your unique expertise into a repeatable product over time. Get started with Optimizing your Operations.

However you choose to implement cloud services, my goal is to help you strengthen both your bottom line and your relationship with your customers. Long-term profitability is the result of helping your customers achieve their goals, growing revenue while reducing churn. Our last resource, Delivering Customer Lifetime Value closes the loop.


This article was provided by our service partner Microsoft.

veeam 10

Veeam 10 highlights

At the recent VeeamON Forum in London – some teasers were released of What’s new in Veeam V10. It doesn’t seem that long ago since Veeam version 9.5 was released but Veeam version 10 doesn’t disappoint with some much sought after new features.

Agents – became available in Veeam 9.5 and allow the backup of physical machines and VM’s in the cloud. This was a welcome feature, the only disadvantage was that you had to manage your agents from a separate interface. Version 10 allows you to manage all your agents from the standard Veeam Backup and Replication Console. Management of agents will be standard in version 10 from the B & R Console but if you’re on 9.5 you can also get this functionality early by applying update 3 which should be available shortly.

NAS backup – this was a real chink in Veeam’s armour previously as there was no way to backup NAS devices. The presenter mentioned this was one of the most popular feature requests, no surprise there. Version 10 will allow backups of NAS devices, and this will not be NDMP based. The feature is actually enabled with the addition of a new proxy role, the File Backup Proxy. This backup method allows the backup process to be vendor agnostic and also allows out of place restores to be performed to any target.

Continuous data protection – (CDP) allows for a near zero RPO. Those familiar with traditional continual data protection will remember physical appliances which acted as write splitters. Veeam’s implementation is of course software based and works by harnessing the VMware VAIO API which splits the write and creates a secondary copy of it. The picture below demonstrates a write being written across two different VMware clusters via the CDP proxy.

Continuous data protection is configured in the following screen which allows you to specify an RPO in seconds as well as how long it is stored for.

Veeam CDP setting screen

Storage integration API – storage integration is nothing new for Veeam, they have offered  integration with vendors such as HPE and NetApp for a number of years. In version 10 of Veeam there is now a universal storage integration API available, so storage vendors can develop integrations and they will all be based on a standard model. Previous storage integrations have been unique to each vendor. Storage based snapshots will of course bring the benefits of offloading the grunt work from the hypervisor and minimise the risk of VM stun

RMAN backups – Oracle DBA’s can continue to use the RMAN native backup tool they are familiar with but target a Veeam repository

Archive tier – will be available as a tier within a Scale-Out Repository. This allows backup data to automatically tier down to cheaper storage and is policy driven.

Role based access – is based on vSphere roles and allows users to perform their own simple operations such as restores

TAAS – possibly my favourite new feature, bringing new to old. Tape As A Service. This basically means that Veeam will tape out for you. Giving you the benefit of tape such as low cost per GB storage and offline media without the hassle of tape management

The Veeam backup and replication version 10 release data has not been announced yet, the official V10 page just lists it as coming soon. Veeam 9.5 update 3 is expected imminently.

Cisco Umbrella

Cisco Umbrella Has Something New for MSPs

The threat landscape continues to get more sophisticated and complex. In a continued partnership to help MSPs protect their clients, Cisco is excited to announce a new Advanced Cisco Umbrella package specifically designed to help MSPs deliver even deeper protection.

As part of the Cisco Umbrella rollout for MSPs Advanced, centrexIT has become an early adopter. centrexIT, an award-winning Managed Services Provider in Southern California, stands out in the IT industry with a unique take on information technology and business alignment. Although their clients engage with them to support their business technology, network health, cybersecurity, and more, centrexIT’s most important metric isn’t how well the technology is working. It’s how to make their client’s lives easier, more productive, and ultimately make them more profitable. A large part of that goal in 2018, and beyond, is practicing good cybersecurity management.

“We value people over technology,” says Eric Rockwell, CEO of centrexIT. “And that commitment to our Culture of Care in turn leads us to focus on providing excellence in service while using technology that meets the highest of standards.”

That standard is even higher when it comes to security — especially in the face of the many high-profile breaches in security that have taken place throughout the tech industry over the past few years.

“Without following the standards for good cybersecurity controls and adhering to applicable regulations, you’re at a much higher risk of your information being breached — and that’s what you’re seeing on the daily news,” Rockwell says.

Cisco plays a major role in helping centrexIT protect their clients. As long-time partners with Cisco, centrexIT was given the opportunity to be the first to adopt Cisco’s latest security features.

“centrexIT is in the process of transitioning to a Next Gen MSP — an MSP with an MSSP (Managed Security Services Provider) practice,” Rockwell says. “We’re expecting huge growth in our MSSP line of business next year, both from existing MSP clients buying MSSP services as well as non-MSP clients buying MSSP services. Our focus on quality and security will only continue to grow as our clients keep demanding it.”

With the company’s growth and the Culture of Care at the forefront, the centrexIT team was more than ready to adopt the latest features.

“We’re using the new Cisco Umbrella features such as file inspection with anti-virus (AV) engine, Cisco Advanced Malware Protection (AMP), and custom URL blocking to help further protect our clients,” Rockwell says.

File inspection provides centrexIT with even deeper protection. When Umbrella receives a DNS request, it uses intelligence to determine if the request is safe, malicious, or risky — meaning the domain contains both malicious and legitimate content. Safe and malicious requests are routed as usual or blocked, respectively. Risky requests are routed to our cloud-based proxy for deeper inspection. The Umbrella proxy uses Cisco Talos web reputation and other third-party feeds to determine if a URL is malicious. With the advanced package, the proxy will also inspect files attempted to be downloaded from those risky sites using anti-virus (AV) engine and Cisco Advanced Malware Protection (AMP). Based on the outcome of this inspection, the connection is allowed or blocked.

Through custom URL blocking, centrexIT has even more control over information being accessed and in discovering potential security threats. Custom URL blocking gives MSPs the ability to enforce against malicious URLs in a destination list. It provides the flexibility to block specific pages without blocking entire domains.

These new security features are a huge plus for centrexIT and its clients. They help fulfill its core value and meet its key metric, says Rockwell. “At the end of the day, our client’s lives are easier and they’re at peace because they know we’re working tirelessly to care for them and keep their information safe and private.”