Building the World’s Fastest Remote Desktop Management – Part 4

Fastest Remote Control

Building the world’s fastest remote desktop management solution is a bit like building a high performance car. The first things to worry about are how fast does it go from zero to 60 and how well does it perform on the road. Once these are ensured, designers can then add the bells and whistles which make the high end experience complete.

In our first three installments in this series (Part 1, Part 2 and Part 3), we talked about the remote management technology being used to deliver speed and performance, and now we are ready to talk about remote management bells and whistles to deliver the high end experience IT administrators’ need. Kaseya Remote Control R8, which became available on September 30, adds 6 new enhancements to ensure greater security and compliance and help IT administrators resolve issues more quickly on both servers and workstations:

  1. Private Remote Control sessions:

    In many industries, such as healthcare, finance, retail, education, etc., security during a remote control session is crucial. Administrators cannot risk having the person next to the server or workstation view sensitive information on the remote screen. Kaseya Remote Control R8 allows IT administrators to establish private Remote Control sessions for Windows so that administrators can work on servers or workstations securely and discreetly.

  2. Track and report on Remote Control sessions:

    These same industries have strict compliance requirements. Remote Control R8 allows IT organizations to track and report on Remote Control sessions by admin, by machine, per month, week, day, etc., with a history of access to meet compliance requirements.

  3. Shadow end user terminal server sessions:

    Many users run terminal server sessions for which they may need assistance. Remote Control R8 lets IT administrators shadow end user terminal server sessions to more easily identify and resolve user issues.

  4. See session latency stats:

    Poor performance is often hard to diagnose. Remote Control R8 shows session latency stats during the remote control session so administrators are aware of the connection strength and can determine it’s relevance to an end user’s issues.

  5. Support for Windows Display Scaling:

    HiDPI displays are quickly becoming the norm for new devices. Remote Control R8 includes support for these display types (i.e. Retina) to allow IT administrators to remotely view the latest, high definition displays.

  6. Hardware acceleration:

    Remote management becomes much easier if one can clearly see the remote machine’s screen. Remote Control R8 enables hardware acceleration, leveraging the video card for image processing, for a sharper remote window picture while reducing the CPU overhead by 25%-50% depending on the admin’s computer hardware – “sharper” image screenshot.

Just like your favorite high-performance car, Kaseya Remote Control R8 is delivering the speed, performance and features IT administers need to obtain a high-end management experience.

Let Us Know What You Think

The new Desktop Remote Control became available with VSA R8 on September 30.

We’re looking forward to receiving feedback on the new capabilities. To learn more about Kaseya and our plans please take a look at our roadmap to see what we have in store for future releases of our products.

Author: Tom Hayes

Multi-Factor Authentication on Mobile Devices

Multi-Factor Authentication

My friend Tony loves electronics and gadgets and probably owns every type of man toy – iPads, home theatre system, Xbox, GoPro, Quadcopter with Wifi camera, etc. He travels a lot for work and is always connected to the internet via his phone and wireless HotSpots. He is a technophile, which makes work and life convenient for everyone associated with him. Or does it?

In my opinion, Tony is a perfect embodiment of the statement, “Employees are the biggest vulnerabilities for a company’s information security.”Tony’s work emails have been setup on every tablet he has owned. He never cared about removing email settings and data from the old devices when he bought a new one (Who does that anyways?). His kids have access to his old mobile devices and most of them do not have passcode locks because, for end users, ease of use often trumps security concerns. This gives Tony little to no control over who else can use those old devices for casual browsing. And he not only compromises his personal data, but his work data as well. While he is no Jennifer Lawrence(trust me, his personal photos are not in demand!), he still makes his personal information vulnerable and exposes his work email to casual browsing by others, inadvertently compromising his company’s information security. And he is not an exception. There are lots of folks like Tony. Not too long ago we had this news:

Iowa State DHS Data Breach – Two workers used personal email accounts, personal online storage and personal electronic devices for work purposes

Furthermore, what happens when Tony quits his job? All that data on his mobile devices is the company data/IP walking out of the door unchecked.

So the obvious solution that comes to mind is, “I will have my IT admin setup, manage and control access to company data on my phone.” Great! That addresses the device management aspects of ability to remote wipe data, track lost phone, manage apps, etc. But what about access management on the mobile server itself, ensuring that only authorized admins are managing your mobile devices remotely to protect against insider threats such as these:

Enter multi-factor authentication – which authenticates users based on verification of at least two of the following:

  • something they know
  • something they own/possess
  • someone they are (biometric)

In the context of mobile, this needs to be applied at both ends – mobile end user as well as the mobile admin.

Multi-factor authentication has been around for some time (remember the physical security tokens that people carried with their laptops?). Mobile admins follow the same multi-factor authentication as the regular IT admin to gain access to the mobile server to manage your mobile devices remotely. See AuthAnvil’s Two Factor Authentication to understand how insider threats and security breaches can be mitigated for the servers that mobile admins use.

But multi-factor authentication for mobile end users is tricky. Picture yourself holding your phone in one hand and a physical security token in other hand to check work email. How will you scroll/click on the screen?

There is a smarter way to handle multi-factor authentication on mobile devices. In a BYOD context, IT admins’ control of the user’s personal device is limited compared to a company-provided device. Hence multi-factor authentication is very critical in BYOD context. Multi-factor authentication for mobile users can be easily done by pairing users with specific device(s) and enforcing secure PIN entry on the apps which access company emails, documents and other IPs (not the device level PIN). So the mobile users can access company data only if they:

  • Enter the correct security PIN for the apps (something they know)
  • Use the approved device paired with them(something they own/possess)

The use of Active Directory / LDAP system at the backend will extend the user’s access privileges to the mobile devices. It is very important to note that all this is a very streamlined process – users just have to open the app the usual way and enter the security PIN for the app.

Multi-factor authentication on mobile devices is very important as these devices move company data outside the organization boundary very easily. But the multi-factor authentication on mobile cannot follow the physical security token model. By pairing users with devices and enforcing PIN at app level, multi-factor authentication can be streamlined and transparent to the mobile user, ensuring ease of use and security at the same time. There are innovative solutions in the market that implement such multi-factor authentication on mobile devices and if you are enabling an “anytime anywhere available” mobile workforce then you should seriously consider having this capability.

Author: Varun Taware

Don’t Let the “Bash Bug” Bash Your Business

Bash Bug

The Bash Bug, also known as “Shellshock,” is in a commonly used piece of Unix system software called Bash, which has been around since 1989. It is a command shell that provides instructions to your computer. Exploiting a security hole in Bash means hackers could instruct your computer to do things you would prefer it not do! For example, the Bash Bug could be used to seize control of a vulnerable web server to collect online passwords stored in databases, download identities, or take other undesirable actions.

Exposure is rather broad, as Bash is used on a variety of Unix-based systems, including Linux and Mac OS X. Servers, routers, Android phones, Mac computers, and medical devices are some of the devices that use Unix. Even systems running power plants and municipal water systems could be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.

So what steps can you take to minimize the risk that the Bash Bug does harm to your business?

Consider the following four steps:

Step 1:

Identify all devices that can be affected, which will likely include network devices (such as routers, switches, etc.), servers, workstations, computers, appliances, etc. Anything connected to your network that is UNIX-derived, whether that be an appliance-based system or a computer running Linux, OS X, or BSD, could be exposed. To make this first step easier, you should use a strong discovery, inventory and audit management tool to help with the identification.

Step 2:

Create scripts to test whether or not those systems are vulnerable. Companies such as Red Hat are creating advisories which detail the exact commands you’ll want to include in the script along with the expected responses. The scripts should be created in a management tool to make it easier to create, document and manage the script.

Step 3:

Run the scripts to create a list of vulnerable systems. The systems you identified now need to be listed in way that makes it easy to take action. You could simply list them in a spreadsheet in preparation for a long day of manually trying to complete repairs. Or, you could again leverage a management tool, one which can capture the results from the testing and make it easier to implement the fix.

Step 4:

Patch any affected devices. In the case of Linux this will involve using package managers like Yum (Yellowdog Updater, Modified), an open-source command-line package-management utility for Linux, or YaST (Yet another Setup Tool), a Linux operating system setup and configuration tool. When Apple releases security fixes for OS X, it can be deployed in scripted fashion with the Apple command-line process ‘softwareupdate.’ These tools can be used in conjunction with a management automation tool that will automatically patch the affected devices and document their updated status, eliminating the need to manually fix and track every device.

Kaseya’s management and automation solution can help you move through these four steps with greater ease, speed, and efficiency, while minimizing the human error factor. More specific information on the Kaseya approach using Agent Procedure can be found on the Kaseya Community Forum. Managed Service Providers using the Kaseya solution, such as Upstream, can also help you resolve the issue. And once you have used the Kaseya solution to address the Bash Bug, you then have a leading management and automation solution in place to help you address the next, unfortunately inevitable security and compliance issue (which at current course and speed might be just days away!).

Authors:

Tom Hayes, VP Product Marketing, Kaseya

Ben Lavalley, Product Management, Kaseya

What can The Simpsons teach us about IT security?

Simpsons IT Security

When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots between concepts and practices. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and entertaining. When you make your lessons entertaining, you can improve the amount of knowledge your employees retain, it’s just that simple.

With that in mind, let’s take a look at one lesson which won’t fail to entertain and inform your end users. Here are five lessons about IT Security we can learn from everyone’s favorite jaundiced TV family: The Simpsons.

Quote One: “Me fail English? That’s unpossible!” – Lisa on Ice (Simpsons S6E8)

Lesson in IT security: No-one, and nothing is infallible.

No matter how adept your computer security skills are, there will always be things which catch you unaware. Viruses, malware, and social engineering are continually being refined, and as such their potency is always greater than ever before. You may speak IT as your native language, but that doesn’t mean failure is unpossible.

Malware in the wild is only half of the equation, because Shadow IT also falls under this lesson. Most of the time, when you encounter an instance of Shadow IT, it’s just a user with the best of intentions. It could be a worker trying to improve their productivity, or a “tech savvy” user “improving” the security of their system. Unfortunately there is a strong correlation between Shadow IT and malware, and, while correlation doesn’t necessitate causation, in the world of IT security there’s usually a fire if you smell smoke. No-one is infallible, and when non-IT staff are free to install apps of their own volition, the risks become compounded.

Quote Two: “You tried your best and you failed miserably. The lesson is: never try.” – Burns’ Heir (Simpsons S5E18)

Lesson in IT security: IT Security is about risk mitigation, not risk elimination.

Let me say that again, IT security is about mitigation, not elimination. This quote is a solid example of the inverse of the rule, which is what many people believe. I’ve heard numerous end-users tell me that they “don’t bother running any of those anti-virus programs”, because they “used to pay for one and they got a virus anyways.”

“Anti-virus” programs, which are more accurately named “anti-malware” programs, are not infallible. The same goes for firewalls, any form of authentication, or any other IT security related product in existence. The only absolute in IT security is the absolute possibility of risk. That doesn’t mean the products do not work, in fact many are extremely effective at mitigating the risk of various attack angles, it’s just that there’s no such thing as a “silver-bullet product” which is capable of eliminating risk.

Quote Three: “Don’t worry, head. The computer will do our thinking now.” – The Computer Wore Menace Shoes (Simpsons S12E6)

Lesson in IT security: Having strong security practices does not mean that you can stop thinking about IT security.

A lot of professionals feel that automation can handle everything, including the security of their IT infrastructure. Unfortunately, that’s only a half-truth. Automation is a glorious tool for the IT professional. Mundane and advanced tasks can be automated so as to execute with more efficiency than ever before. Never again will driver updates be so strenuous a task. Unfortunately, maintaining security is less of a science, and more of an art form, and as such the human element is always critical.

Consider Cryptolocker, which has recently been seen distributing itself under the guise of a fax notification email. Short of sandboxing every internet browser across your entire network, there’s not a lot you can automate to stop this threat. If you pay attention to various security forums though, then you may have found people who had recently encountered that variant. With human intervention, you could then set up an email filter for any emails including the word “fax”, and inform your staff of the risk and how to avoid infection. When that level of automation is possible you can let the computer do your thinking, until that time though, you can’t simply assume your systems will be able to handle everything.

Quote Four: “They have the Internet on computers, now?” – Das Bus (Simpsons S9E14)

Lesson in IT security: Keeping your intranet internal and your DMZ demilitarized are no longer easy tasks.

Yes Homer, they have the internet on computers now. To be more accurate, they have the internet on everything now. Back in the day, keeping users off of unsecured connections was as easy as telling them that being caught with a personal modem in the office was a termination-worthy offense; however, with the prevalence of cell-phones and other portable devices, a far greater risk than the 2400 baud modem of yore lies in every employees pockets.

What this means is that endpoint security and security awareness training are more critical than ever before. You can’t always trust your users, but you can teach them to not trust themselves. That may sound like a candidate for “most depressing speech ever given to new employees”, but if they’re aware of the risk each of them poses to the security of your network, they may hesitate before using their smartphone to send out that confidential business information in the future.

Quote Five: “Cant someone else do it?” – Trash of the Titans (Simpsons S9E22)

Lesson in IT security: This final rule has an easy explanation. No, someone else cannot do it. IT security is everyone’s job.

This episode is one of the most memorable Simpsons episodes, and incidentally it’s also one of the most relevant lessons you can pass on to your users. How does garbage disposal tie in to IT security? Quite easily, just consider IT security like running a sanitation department.

Homer’s sanitation plan failed because of the inefficiency inherent in getting a third party to handle all of the jobs previously handled by the citizens. Why is it okay then, to have IT security be handled by a single department, or person? People take their garbage to the curb to decrease the work required of sanitation workers, it’s this collaboration that makes the process effective. It logically follows, that such collaboration would equally benefit an IT department. Minimize the work you place on your IT staff, if you bring them your security concerns, such as potential malware infections, rather than leave it to them to notice and/or figure out, then the entire process is streamlined. Work smarter and minimize the workload placed on IT’s shoulders, because, while someone else can do it, having someone else do it is extremely inefficient.

If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.

A properly implemented Single Sign-On solution can also drastically improve the efficiency of business. For more information on that subject: Click Here.

Author: Harrison Depner

Education and Mitigation: Improving IT Security Through User Education

School IT Security

Unless your network consists of a room full of users connecting to an unsecured consumer-grade router, the most vulnerable part of your network are your users. Technology is good at following rules consistently, while people are not. You can trust a computer not to install viruses on itself, it can be infected, but that’s not how it was designed to function. Technology may not always work the way it’s supposed to, but it’s not like the technology itself has any control over its actions. People on the other hand…Well, you just can’t trust people not to make bad decisions…

Even the Romans knew it. To err is human: Errare humanum est. -Seneca

Trusting in your users to do everything right is foolhardy; however, it’s quite possible to teach them not to trust themselves! In the field of IT security you should trust no one. Think about how much risk would be mitigated if you could pass that notion on to your users.

Would your average users stop opening random links people send them to featuring “10 cute kitten videos you have to see?” Probably not, but if we change the question a little and ask, “Would your users engage in that sort of risky behavior less often?” Then the answer becomes a definitive “yes.”

When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and relevant. Try having a brownbag lunch and discussing IT security issues that have recently received media coverage. People remember large events like when Sony was hacked, so you could work that into a lesson about why it’s dangerous to recycle passwords across websites. Make your lessons relatable and you will improve the amount of knowledge your employees retain. It’s just that simple.

Maybe this doesn’t apply to your business. Perhaps you work at an MSP where the most computer illiterate employee you have is the janitor from Elbonia who has his CIS degree printed on what looks to be a cereal box. Well, even then there’s still plenty to learn.

Work can be hectic and busy. There are always new patches to install, and break-fix work to do. After a certain point, it gets really easy to just become apathetic to the process. Well, no surprises here but, not embracing life-long learning is one of the worst possible things you can do. IT security isn’t something you can just learn and be done with, it’s a constantly changing and evolving field! You can memorize your ABCs, but the closest things to that I have seen in IT are the four cardinal rules of IT security.

Have you heard of the four cardinal rules? Probably not, because I’m sure my instructor was improvising when he taught us. That would explain why they’re pretty much the same as the four cardinal rules of gun safety. Well, here are those four rules, so read them and see if you pick up anything new!

  1. All guns are always loaded.

    Connecting things to a network is a lot like picking up a gun. It could be loaded (with malware), or be poorly manufactured, which adds the risk of it blowing up in your face. You might want to trust the ergonomic keyboards your techs brought from home, but even that can be risky.

    In short: Assume nothing, and check everything.

  2. Always point the muzzle in a safe direction.

    Patches, updates, hardware installations, this applies to everything. If you’re going to change anything on your network, don’t just plow ahead and do it. Aim those changes in a safe direction (like a test server, or non-critical system) and try things out there first. If things work well on the test server, then safely implement the changes across all systems. You wouldn’t play Russian-Roulette with your life on the line, so why would you do it with your network?

    In short: Test everything before it goes live.

  3. Keep your finger off the trigger until you are on target and ready to shoot.

    It’s good to stay on top of the most recent updates, but there’s a fine line between updating appropriately and excessively. Just because you can update to the newest beta version of Java doesn’t mean you should, and just because there’s a newer version of an OS, that doesn’t mean you need it.

    In short: Don’t change anything on the fly and don’t install anything without considering the results.

  4. Know your target, and what lies beyond.

    When changing anything, make sure you are fully aware of what it is, what it does, and what needs it. Consider what happened with the release of Windows Vista. Many businesses updated to Vista because their hardware supported it; unfortunately, a number of devices which relied on XP’s resources no longer functioned as a result. Users were scrambling to figure out why their printers, webcams, and other gadgets no longer worked, and it caused quite a headache for the people who supported those systems.

    In short: Do your research. Nothing is as modular as it seems, and updating something as innocuous as a printer could bring your network to its knees.

Above all else, always remember that you can never know too much. Keep on learning, keep reading those blogs, and keep reading those forums. You’ll never know if something you learned is relevant until you have to do it yourself.

Now, before you go looking for random lessons to train your coworkers on, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, why not take a look at Kaseya University.

Kaseya University is a state-of-the-art training platform for Kaseya users. It utilizes an innovative blended learning approach to provide both structured and flexible access to technical product training. The Learning Center allows students to build a truly customized learning experience unique to their needs. Kaseya University is kept current with Kaseya product releases, and refreshed multiple times a year. To learn more about Kaseya University: Click here

With that knowledge you can accomplish even more from a single pane of glass.

If you want more information on IT security or just want some topic starters: Click Here

If you want a more direct approach for improving your IT Security: Click Here

Author: Harrison Depner

Haste Prevents Waste. Single Sign-On Can Improve Any MSPs Profit Margin

Single Sign-On Efficiency

As people gain access to more online resources, they need to remember an ever-increasing number of usernames and passwords. Unfortunately, having more usernames and passwords means spending more time spent keeping track of those usernames and passwords.

If you’re a business owner and you don’t have password management software, then you’re letting your employees manage their passwords on their own. Your users could be setting the stage for every IT security manager’s worst nightmare: an office full of sticky notes with user names and passwords clearly visible around their workstations or cubicles. Without some form of password management solution, your employees are suffering from ongoing frustration as they try to manage their passwords while following your IT security requirements.

If your business is already using password management software, then you should have a solution that manages which resources your employees are able to access, and which credentials they should use to do so. Unfortunately, your password system may not be doing everything it can to provide simple, and secure access for your employees.

What if there was a way for users to have strong passwords without the need to remember them, while also retaining a high degree of security?

Regardless of how you’re managing your passwords today, you can eliminate password frustration, increase your employees’ efficiency, and improve your IT security by implementing a single sign-on password management solution.

What is Single Sign-On?

Single sign-on (SSO) is a system through which users can access multiple applications, websites, and accounts by logging in to a single web portal just once. After the user has logged into the portal, he or she can access those resources without needing to enter additional user names or passwords.

Single sign-on is made possible by a password management system that stores each user’s login ID and password for each resource. When a user navigates from a single sign-on portal to a site or application, the password management system typically provides the user’s login credentials behind the scenes. From the users’ perspective, they appear to be logged in automatically.

High quality SSO solutions are able to provide access to a variety of internal and external resources by utilizing standard protocols such as SAML, WS-Fed, and WS-Trust.

As with any password management application, security is a critical consideration for SSO systems. Single sign-on is often implemented in conjunction with some form multi-factor authentication (MFA) to ensure that only authorized users are able to log into the SSO web portal.

5 Reasons MSPs Benefit from Single Sign-On

  1. SSO can create exceptionally strong password security. When paired with multi-factor authentication (MFA), single sign-on gives you a password management solution that can be both user friendly and extremely secure.
  2. SSO makes enforcing password policies easier. In addition to allowing for strong passwords for critical resources, an SSO system makes it easier to assign and maintain those passwords. In some cases, you can take users out of the password management process entirely—a good SSO system will allow you to can assign them behind the scenes, and change them as needed when your security needs evolve.
  3. Users won’t need or want to save passwords to their unsecure browser. To the average end user, the ability of a web browser like Chrome to remember and submit passwords is a huge bonus; however, while saved passwords offer some of the benefits of single sign-on, web browsers offer none of the security that comes with a true password management solution. When you implement an SSO system, you eliminate the temptation for employees to save their passwords in their browsers, because the SSO portal does that job instead, and often does it better. At that point you could remove that feature from their browsers without the risk of angering your users.
  4. Single sign-on makes your systems easier to secure. Rather than securing dozens or even hundreds of access points to your systems, your security administrators can focus the majority of their efforts on securing just one—the SSO system. If you pair the SSO system with multi-factor authentication, you’re your credentials will be more secure and manageable, than a collection of independently secured websites and systems.
  5. Reduced IT help desk calls. Experts estimate that the average employee calls the IT help desk for password assistance about four times per year. Given that an average IT helpdesk call takes about 20 minutes, that’s 80 minutes per year. That’s 160 minutes of wasted time (IT staff + end user) per year per end user. A good SSO solution will help you put that money back on your bottom line, and free your IT professionals to spend their time on more important projects.

Now, before you go looking for a single sign-on system for your business, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. Scorpion Software was acquired by Kaseya not long ago, and they offer a full Kaseya integration of their user authentication and password management suite. Their suite offers single sign-on, multi-factor authentication, and many other features. So, if you’re looking for a Kaseya-optimized suite, there’s no better place to start. That way you can accomplish even more from a single pane of glass.

If you want more information on what a good single sign-on system should do: Click Here

If you want to know what I would recommend as a single sign-on solution: Click Here

Author: Harrison Depner

Why is it called “Multi-Factor” Authentication? (MFA)

MFA Steps

Why is multi-factor authentication (MFA) “multi-factor” anyways? A simple enough question, right? Well, it’s not as simple as it sounds.

Depending on where you look, you can see references to two-factor authentication, three-factor authentication, strong authentication, advanced authentication. Based on the name, it sounds like these are all just subcategories of multi-factor authentication. Unfortunately, that’s only half true, and that’s also where this question gets complicated.

Which types of authentication are always examples of multi-factor authentication?

Two and three factor authentication are always examples of multi-factor authentication. Multi-factor definition, by definition, is authentication using at least 2 of the 3 possible authentication factors. So yes, two-factor and three-factor authentication are both examples of multi-factor authentication.

What about “strong” and “advanced” authentication?

This is where it gets tricky. Both strong and advanced authentication in use can be considered multi-factor authentication; however, it depends on how the authentication is implemented. To understand what I mean we first need to define what multi-factor authentication is.

What is multi-factor authentication?

The term “authentication” refers to the ability to verify the identity of a person attempting to access a system (presumably someone who is authorized to access that system). The term “factor” then, necessarily refers to the different types of tests someone must successfully complete to identify themselves. For IT security, these factors often filter down into three broad categories:

  • Knowledge: Something you know.

    This is the factor upon which password-only systems rely. To pass a knowledge factor based test, you must prove that you know a secret combination, like a password, PIN, or pattern.

  • Possession: Something you have.

    To authenticate using this factor, you must prove you possess something that only you should have, like a key, or an ID card.

  • Inherence: Something you are.

    Inherence means something that is inherently yours. That usually means a unique physical or behavioral characteristic, tested through some sort of biometric system.

Multi-factor authentication requires a system use at least two of these authentication factors to authenticate users. That’s why it’s “multi-factor” authentication.

Wait… so what was that about “strong” and “advanced” authentication?

Well, multi-factor authentication requires at least two factors be used. Both advanced and strong authentication can use two or three factors; however, the requirements do not require the use of “tests” from different categories. Strong authentication could be achieved by using a password and a security question, while advanced authentication could established with a password and a challenge question. This means that, while all multi-factor authentication solutions count as strong or advanced authentication, not all strong and advanced authentication solutions count as multi-factor authentication.

Why do businesses need multi-factor authentication?

Many groups feel that single-factor authentication is adequate for their needs, but let’s consider something first. You have a bank account, and tied to that bank account you likely have both a debit and a credit card. To access your money you already use multi-factor authentication. You have a debit/credit card (possession), and a pin code/ password (knowledge). Now, consider how much the damage a breach could cost your business. Does your business’ network deserve the same level of protection as your personal bank account, if not more?

Yes, yes it does.

Many industries already require multi-factor authentication! If you work in law enforcement in the United States, then you’re likely required to be CJIS compliant. CJIS compliance requires advanced authentication. If you work in retail, you’re likely PCI compliant. Again, PCI compliance requires multi-factor authentication. If you work in healthcare, then there’s HIPAA to consider. HIPAA is yet another regulation that requires multi-factor authentication. What this demonstrates is that, for IT security, MFA is becoming mainstream.

What’s my recommendation for a multi-factor authentication solution?

Well, no solution should be a one size fits all response. You should be able to customize and tailor any potential solution so that vital resources are protected, without inconveniencing users who don’t require multi-factor authentication. If you’re interested a solution designed from the ground up with security and usability in mind, then I’d recommend “AuthAnvil Two Factor Auth”.

AuthAnvil Two Factor Auth is a multifactor authentication server capable of adding identity assurance protection to the servers and desktops you need to interact with on a regular basis, and deep integration into many of the tools that you may use day to day. It also works with pretty much anything that supports RADIUS, so along with your Windows logon it can protect things like your VPNs, firewalls and Unix environments. Conveniently enough, it also integrates smoothly with Kaseya. That way you can accomplish even more from that single pane of glass.

For more information on multi-factor authentication: Click Here

For a look at how much AuthAnvil’s Kaseya integration can be used: Click Here

Author: Harrison Depner

Home Depot: Yet another retail breach.
PCI compliance just doesn’t cut it

Home Depot Security Breach

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

3 Things Your Password Management Solution Must Provide

Password Requirements

When was the last time an employee left your company?
Was it one month ago? Two?

Gone are the days of the lifelong career. Sure, if you work in education there’s the possibility of tenured professors, but for the average MSP there’s no such thing, and as such there is a significant amount of employee turnover. No matter how hard you try to retain your employees, some are going to be taken from you, and some of those employees are bound to be technicians.

It’s always sad whenever a technician leaves a company, but the IT security risk their departure leaves behind can linger even longer. You can lock their personal accounts after they leave and have them return their keycards, but you can’t remove all knowledge of you and your clients systems, applications, networks, and the associated usernames and passwords from their minds.

Now consider the ever increasing risk of a data breach, and the value of your clients’ data.

Your clients expect that, along with whatever other services you provide, you will help protect them from the risk of a breach, yet every time a technician leaves your company a set of keys to unlock your clients’ secured systems is being released into the world. Many businesses would be bankrupted by even a single breach, and your ex-employees have the means of walking casually past their security and into their systems. How do you think your clients would feel if they knew that?

As a business working in IT, the security of all systems, your clients’ and your own, must be at the forefront of your focus. When it comes to passwords, you need to have a plan in place which accounts for technicians leaving your company. Many MSPs I’ve seen lack such a plan, and that runs afoul of the oldest IT truism “always be prepared”. To be well prepared, there are three critical features your plan needs to work successfully…

Auditing

Your system, no matter how it’s set up, absolutely needs some auditing functionality. This allows you to check:

  • Who has accessed certain passwords, and when.
  • If the stored passwords are on par with any complexity or compliance requirements.
  • If the stored passwords are accurate and actually match the ones being used.
  • Who the contact with authority is, should something go wrong.

Access control

No technician should ever need to know every single password at any given time. Access control allows you to restrict that access to need-to-know only. The most common way of accomplishing this is be enacting a role-based access model, where users in certain roles have access to certain passwords. At the minimum your system should allow you to:

  • Control who can access certain passwords.
  • Control what access a user has to passwords (read-only, write-only, hidden, etc.)
  • Securely store the passwords in a central location, while providing access to virtually everywhere.

Automation

An excel spreadsheet just won’t cut it for this requirement. Your system needs to be capable of doing most of these tasks automatically. If you tried to do this all manually, the work required would likely be a full-time job of its own. Your system should be able to automate all of the requirements for auditing and access control, while simultaneously being able to:

  • Automatically change and update passwords on a set schedule.
  • Inform those in authority when a password needs changing that cannot be automated.
  • Automatically enter passwords for users who only need it to log in.

Now, a lot of these requirements sound hard to fulfill. And they are, should you try to set this up yourself. That’s just the thing though, if you were solving for the problem of malware, you wouldn’t design your own in-house antivirus. I mean, you might rebrand some open source solution, but that never ends well.

The same method you use to solve for viruses, email, or any other software requirement, can be applied to password management. Let someone else build the tools, so you don’t have to. You don’t need to invent your own password management system, you just need a password management solution.

While you’re looking for a password management solution, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.

If you want more information on what you need from a password management system: Click Here

If you want to know what I would recommend as a password management system: Click Here

Author: Harrison Depner

Security and Healthcare IT: A HIPAA Compliance Questionnaire

Healthcare Security

As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

  • Are your employees aware of the penalties that will ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Is there someone tasked with checking all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

  • Are there tested and revised plans in place for an emergency?
  • Have the applications and data needed for these emergency plans been analyzed?
  • In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
  • I.T.E.O.A.D… Can all ePHI be restored or recovered?>
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

Page 1 of 4512345»102030...Last »