multi-factor authentication Archives – Brain Trust Technologies LLC

Google releases year-long security study

November 21, 2017 admin Security 2017november21security_c, account hijacking, data breach, google, keylogging, multi-factor authentication, Passwords, phishing, research

Your passwords are the gateway to your files, money, and identity, so it’s no surprise that hackers are constantly trying to steal them. Most cybercriminals will use malware to do the trick, but they also have other means at their disposal. Google’s year-long security investigation provides the details.

The results
From March 2016 to March 2017, Google and UC Berkeley researchers examined three main ways hackers hijack accounts:

Keylogging software – a malicious program that records computer users’ keystrokes
Phishing emails – to lead people into dangerous websites
Stolen passwords – available to the highest bidder

In just one year, Google found 788,000 successful keylogging attacks, 12.4 million victims of phishing attacks, and 1.9 billion accounts exposed via login credentials sold on the black market.

Researchers suggest the reason so many accounts are hacked is because people tend to reuse their passwords, which means if one set of login credentials is exposed, other accounts could be compromised.

Phishing is also a big threat because it targets users — the weakest links in your cybersecurity. The strongest password or security system won’t mean anything if your employees constantly fall for online scams.

Protecting your accounts
There are several things you can do thwart account hijacking. For starters, you should set strong and unique passwords for each account to minimize data breaches.

While the general rule in the past was to set a complex password — a mix of letters, numbers, and symbols — recent studies suggest that longer, 20-character “passphrases” are much tougher to crack. If you find it difficult to remember several passwords, consider using a password manager, which not only stores all your passwords, but can generate strong passwords, too.

To deal with phishing attacks, you should activate multi-factor authentication on your accounts. This adds an extra layer of identity verification to your password (e.g., a fingerprint scan or a temporary security key sent to your phone), making your login details ‘unphishable.’

Security training is also crucial. This includes teaching your employees about what phishing attacks look like and instructing them on password protection best practices so they never fall victim to account hijacking.

The bottom line is not only that strong password security requires strong defense mechanisms; you and your employees must be vigilant, too.

Need more advice on keeping your business safe? Call us today! We provide critical security updates and comprehensive support services to help you stay well ahead of cybercriminals.

Published with permission from TechAdvisory.org. Source.

Your passwords are not secure

October 19, 2017 admin Security 2017october19security_c, account monitoring, multi-factor authentication, Password security, security best practice, single sign-on

A password policy designed for federal agencies must be secure, right? Surprisingly, that hasn’t been the case according to the National Institute of Standards and Technology (NIST). On the hook for the password best practices that we still use today — the combination of letters, capitalizations, and numbers — NIST admits that the existing guidelines were misguided. Find out why and how it involves you.

The problem

The issue isn’t necessarily that NIST advised people to create passwords that are easy to crack, but it did steer people into creating lazy passwords, using capitalization, special characters, and numbers that are easy to predict, like “P@ssW0rd1.”

This may seem secure, but in reality, these strings of characters and numbers could easily be compromised by hackers using common algorithms.

To make matters worse, NIST also recommended that people change their passwords regularly, but did not define what it actually means to “change” them. Since people thought their passwords were already secure with special characters, most only added one number or symbol.

NIST essentially forced everyone, including you and your colleagues, to use passwords that are hard for humans to remember but easy for computers to guess.

The solution

One cartoonist pointed out just how ridiculous NIST’s best practices were when he revealed that a password like “Tr0ub4dor&3” could be cracked in only three days while a password like “correcthorsebatterystaple” would take about 550 years.

Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to make sense of.

Even better, you should enforce the following security solutions within your company:

Multi-factor Authentication – which only grants access after you have successfully presented several pieces of evidence
Single Sign-On – which allows users to securely access multiple accounts with one set of credentials
Account Monitoring Tools – which recognize suspicious activity and lock out hackers

When it comes to security, ignorance is the biggest threat. If you’d like to learn about what else you can do to fortify security, just give us a call.

Published with permission from TechAdvisory.org. Source.

Office 365 users face new phishing scam

September 15, 2017 admin Security 2017september15security_c, microsoft, multi-factor authentication, office 365, spear phishing

With the popularity of Office 365, hackers are trying to find new ways to exploit its users, and they’ve come up with a new idea: a credential-harvesting campaign that uses personalized spear-phishing mails as a tool. If you’re an Office 365 user and don’t want your account compromised, read on.

What makes it different from other scams?

The new threat comes in the form of spear phishing, an old familiar method in which hackers send emails that purport to be from trusted sources and dupe you into disclosing sensitive information. In this particular attack, the email messages are admirably well-crafted, making them even harder to spot.

The emails are also rid of the usual telltale signs such as misspelled words, suspicious attachments, and dubious requests. You might have to recalibrate what you know about phishing scams, because this new threat ticks all the boxes that make it look legitimate.

How does it work?

The hackers behind the attack craft personalized messages, pretending to be from trusted sources, such as your colleagues or Microsoft itself, and send them to your inbox. The messages could contain a link or a PDF file that leads to a legitimate-looking landing page. Upon clicking the link, the user will be prompted to enter his or her credentials, which the hacker will use to launch attacks within the organization.

Once they gain control of your account, they might set up new forwarding rules to monitor your communication patterns, which will be useful for their future attacks. They might even use your account to send further phishing emails to your co-workers to collect more sensitive information.

As for the phishing emails with PDF attachments, there will be instructions to fill in username and password to view the document. And once you do, your account is no longer yours.

Another way they can get your credentials is by sending an invoice that requires you to log on to a web portal to view the file. Attackers can also use this technique to trick you into performing a certain action, such as forwarding sensitive information or paying an invoice.

What can you do to stay protected?

Your first line of defense is multi-factor authentication, whereby you use a password and another authentication method — like an SMS code — to secure your account. This function is already included in Office 365 and here’s a step-by-step guide on how to activate it.

The second line of defense is training yourself and your employees to spot common phishing techniques. In particular, verify the accuracy of the wording and the sensibility of the requests in the messages.

For good measure, your organization can also install an email-validation system which is designed to detect and prevent email spoofing, such as the Domain-based Message Authentication, Reporting and Conformance (DMARC).

Identifying phishing emails and planning and implementing a robust defense system are ways to protect you and your organization against the new Office 365 threat. For tips on how to spot this type of scam and how to plan thorough security practices, contact our experts today.

Published with permission from TechAdvisory.org. Source.