Archive - Security RSS Feed

Education and Mitigation: Improving IT Security Through User Education

School IT Security

Unless your network consists of a room full of users connecting to an unsecured consumer-grade router, the most vulnerable part of your network are your users. Technology is good at following rules consistently, while people are not. You can trust a computer not to install viruses on itself, it can be infected, but that’s not how it was designed to function. Technology may not always work the way it’s supposed to, but it’s not like the technology itself has any control over its actions. People on the other hand…Well, you just can’t trust people not to make bad decisions…

Even the Romans knew it. To err is human: Errare humanum est. -Seneca

Trusting in your users to do everything right is foolhardy; however, it’s quite possible to teach them not to trust themselves! In the field of IT security you should trust no one. Think about how much risk would be mitigated if you could pass that notion on to your users.

Would your average users stop opening random links people send them to featuring “10 cute kitten videos you have to see?” Probably not, but if we change the question a little and ask, “Would your users engage in that sort of risky behavior less often?” Then the answer becomes a definitive “yes.”

When it comes to educating your users about IT security, there are a lot of wrong ways to connect the dots. Simplistic training sessions can make your users feel ignorant, gullible, or even unintelligent. From my experience, the best practices tend to be those which are honest, informative, and relevant. Try having a brownbag lunch and discussing IT security issues that have recently received media coverage. People remember large events like when Sony was hacked, so you could work that into a lesson about why it’s dangerous to recycle passwords across websites. Make your lessons relatable and you will improve the amount of knowledge your employees retain. It’s just that simple.

Maybe this doesn’t apply to your business. Perhaps you work at an MSP where the most computer illiterate employee you have is the janitor from Elbonia who has his CIS degree printed on what looks to be a cereal box. Well, even then there’s still plenty to learn.

Work can be hectic and busy. There are always new patches to install, and break-fix work to do. After a certain point, it gets really easy to just become apathetic to the process. Well, no surprises here but, not embracing life-long learning is one of the worst possible things you can do. IT security isn’t something you can just learn and be done with, it’s a constantly changing and evolving field! You can memorize your ABCs, but the closest things to that I have seen in IT are the four cardinal rules of IT security.

Have you heard of the four cardinal rules? Probably not, because I’m sure my instructor was improvising when he taught us. That would explain why they’re pretty much the same as the four cardinal rules of gun safety. Well, here are those four rules, so read them and see if you pick up anything new!

  1. All guns are always loaded.

    Connecting things to a network is a lot like picking up a gun. It could be loaded (with malware), or be poorly manufactured, which adds the risk of it blowing up in your face. You might want to trust the ergonomic keyboards your techs brought from home, but even that can be risky.

    In short: Assume nothing, and check everything.

  2. Always point the muzzle in a safe direction.

    Patches, updates, hardware installations, this applies to everything. If you’re going to change anything on your network, don’t just plow ahead and do it. Aim those changes in a safe direction (like a test server, or non-critical system) and try things out there first. If things work well on the test server, then safely implement the changes across all systems. You wouldn’t play Russian-Roulette with your life on the line, so why would you do it with your network?

    In short: Test everything before it goes live.

  3. Keep your finger off the trigger until you are on target and ready to shoot.

    It’s good to stay on top of the most recent updates, but there’s a fine line between updating appropriately and excessively. Just because you can update to the newest beta version of Java doesn’t mean you should, and just because there’s a newer version of an OS, that doesn’t mean you need it.

    In short: Don’t change anything on the fly and don’t install anything without considering the results.

  4. Know your target, and what lies beyond.

    When changing anything, make sure you are fully aware of what it is, what it does, and what needs it. Consider what happened with the release of Windows Vista. Many businesses updated to Vista because their hardware supported it; unfortunately, a number of devices which relied on XP’s resources no longer functioned as a result. Users were scrambling to figure out why their printers, webcams, and other gadgets no longer worked, and it caused quite a headache for the people who supported those systems.

    In short: Do your research. Nothing is as modular as it seems, and updating something as innocuous as a printer could bring your network to its knees.

Above all else, always remember that you can never know too much. Keep on learning, keep reading those blogs, and keep reading those forums. You’ll never know if something you learned is relevant until you have to do it yourself.

Now, before you go looking for random lessons to train your coworkers on, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, why not take a look at Kaseya University.

Kaseya University is a state-of-the-art training platform for Kaseya users. It utilizes an innovative blended learning approach to provide both structured and flexible access to technical product training. The Learning Center allows students to build a truly customized learning experience unique to their needs. Kaseya University is kept current with Kaseya product releases, and refreshed multiple times a year. To learn more about Kaseya University: Click here

With that knowledge you can accomplish even more from a single pane of glass.

If you want more information on IT security or just want some topic starters: Click Here

If you want a more direct approach for improving your IT Security: Click Here

Author: Harrison Depner

Haste Prevents Waste. Single Sign-On Can Improve Any MSPs Profit Margin

Single Sign-On Efficiency

As people gain access to more online resources, they need to remember an ever-increasing number of usernames and passwords. Unfortunately, having more usernames and passwords means spending more time spent keeping track of those usernames and passwords.

If you’re a business owner and you don’t have password management software, then you’re letting your employees manage their passwords on their own. Your users could be setting the stage for every IT security manager’s worst nightmare: an office full of sticky notes with user names and passwords clearly visible around their workstations or cubicles. Without some form of password management solution, your employees are suffering from ongoing frustration as they try to manage their passwords while following your IT security requirements.

If your business is already using password management software, then you should have a solution that manages which resources your employees are able to access, and which credentials they should use to do so. Unfortunately, your password system may not be doing everything it can to provide simple, and secure access for your employees.

What if there was a way for users to have strong passwords without the need to remember them, while also retaining a high degree of security?

Regardless of how you’re managing your passwords today, you can eliminate password frustration, increase your employees’ efficiency, and improve your IT security by implementing a single sign-on password management solution.

What is Single Sign-On?

Single sign-on (SSO) is a system through which users can access multiple applications, websites, and accounts by logging in to a single web portal just once. After the user has logged into the portal, he or she can access those resources without needing to enter additional user names or passwords.

Single sign-on is made possible by a password management system that stores each user’s login ID and password for each resource. When a user navigates from a single sign-on portal to a site or application, the password management system typically provides the user’s login credentials behind the scenes. From the users’ perspective, they appear to be logged in automatically.

High quality SSO solutions are able to provide access to a variety of internal and external resources by utilizing standard protocols such as SAML, WS-Fed, and WS-Trust.

As with any password management application, security is a critical consideration for SSO systems. Single sign-on is often implemented in conjunction with some form multi-factor authentication (MFA) to ensure that only authorized users are able to log into the SSO web portal.

5 Reasons MSPs Benefit from Single Sign-On

  1. SSO can create exceptionally strong password security. When paired with multi-factor authentication (MFA), single sign-on gives you a password management solution that can be both user friendly and extremely secure.
  2. SSO makes enforcing password policies easier. In addition to allowing for strong passwords for critical resources, an SSO system makes it easier to assign and maintain those passwords. In some cases, you can take users out of the password management process entirely—a good SSO system will allow you to can assign them behind the scenes, and change them as needed when your security needs evolve.
  3. Users won’t need or want to save passwords to their unsecure browser. To the average end user, the ability of a web browser like Chrome to remember and submit passwords is a huge bonus; however, while saved passwords offer some of the benefits of single sign-on, web browsers offer none of the security that comes with a true password management solution. When you implement an SSO system, you eliminate the temptation for employees to save their passwords in their browsers, because the SSO portal does that job instead, and often does it better. At that point you could remove that feature from their browsers without the risk of angering your users.
  4. Single sign-on makes your systems easier to secure. Rather than securing dozens or even hundreds of access points to your systems, your security administrators can focus the majority of their efforts on securing just one—the SSO system. If you pair the SSO system with multi-factor authentication, you’re your credentials will be more secure and manageable, than a collection of independently secured websites and systems.
  5. Reduced IT help desk calls. Experts estimate that the average employee calls the IT help desk for password assistance about four times per year. Given that an average IT helpdesk call takes about 20 minutes, that’s 80 minutes per year. That’s 160 minutes of wasted time (IT staff + end user) per year per end user. A good SSO solution will help you put that money back on your bottom line, and free your IT professionals to spend their time on more important projects.

Now, before you go looking for a single sign-on system for your business, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. Scorpion Software was acquired by Kaseya not long ago, and they offer a full Kaseya integration of their user authentication and password management suite. Their suite offers single sign-on, multi-factor authentication, and many other features. So, if you’re looking for a Kaseya-optimized suite, there’s no better place to start. That way you can accomplish even more from a single pane of glass.

If you want more information on what a good single sign-on system should do: Click Here

If you want to know what I would recommend as a single sign-on solution: Click Here

Author: Harrison Depner

Why is it called “Multi-Factor” Authentication? (MFA)

MFA Steps

Why is multi-factor authentication (MFA) “multi-factor” anyways? A simple enough question, right? Well, it’s not as simple as it sounds.

Depending on where you look, you can see references to two-factor authentication, three-factor authentication, strong authentication, advanced authentication. Based on the name, it sounds like these are all just subcategories of multi-factor authentication. Unfortunately, that’s only half true, and that’s also where this question gets complicated.

Which types of authentication are always examples of multi-factor authentication?

Two and three factor authentication are always examples of multi-factor authentication. Multi-factor definition, by definition, is authentication using at least 2 of the 3 possible authentication factors. So yes, two-factor and three-factor authentication are both examples of multi-factor authentication.

What about “strong” and “advanced” authentication?

This is where it gets tricky. Both strong and advanced authentication in use can be considered multi-factor authentication; however, it depends on how the authentication is implemented. To understand what I mean we first need to define what multi-factor authentication is.

What is multi-factor authentication?

The term “authentication” refers to the ability to verify the identity of a person attempting to access a system (presumably someone who is authorized to access that system). The term “factor” then, necessarily refers to the different types of tests someone must successfully complete to identify themselves. For IT security, these factors often filter down into three broad categories:

  • Knowledge: Something you know.

    This is the factor upon which password-only systems rely. To pass a knowledge factor based test, you must prove that you know a secret combination, like a password, PIN, or pattern.

  • Possession: Something you have.

    To authenticate using this factor, you must prove you possess something that only you should have, like a key, or an ID card.

  • Inherence: Something you are.

    Inherence means something that is inherently yours. That usually means a unique physical or behavioral characteristic, tested through some sort of biometric system.

Multi-factor authentication requires a system use at least two of these authentication factors to authenticate users. That’s why it’s “multi-factor” authentication.

Wait… so what was that about “strong” and “advanced” authentication?

Well, multi-factor authentication requires at least two factors be used. Both advanced and strong authentication can use two or three factors; however, the requirements do not require the use of “tests” from different categories. Strong authentication could be achieved by using a password and a security question, while advanced authentication could established with a password and a challenge question. This means that, while all multi-factor authentication solutions count as strong or advanced authentication, not all strong and advanced authentication solutions count as multi-factor authentication.

Why do businesses need multi-factor authentication?

Many groups feel that single-factor authentication is adequate for their needs, but let’s consider something first. You have a bank account, and tied to that bank account you likely have both a debit and a credit card. To access your money you already use multi-factor authentication. You have a debit/credit card (possession), and a pin code/ password (knowledge). Now, consider how much the damage a breach could cost your business. Does your business’ network deserve the same level of protection as your personal bank account, if not more?

Yes, yes it does.

Many industries already require multi-factor authentication! If you work in law enforcement in the United States, then you’re likely required to be CJIS compliant. CJIS compliance requires advanced authentication. If you work in retail, you’re likely PCI compliant. Again, PCI compliance requires multi-factor authentication. If you work in healthcare, then there’s HIPAA to consider. HIPAA is yet another regulation that requires multi-factor authentication. What this demonstrates is that, for IT security, MFA is becoming mainstream.

What’s my recommendation for a multi-factor authentication solution?

Well, no solution should be a one size fits all response. You should be able to customize and tailor any potential solution so that vital resources are protected, without inconveniencing users who don’t require multi-factor authentication. If you’re interested a solution designed from the ground up with security and usability in mind, then I’d recommend “AuthAnvil Two Factor Auth”.

AuthAnvil Two Factor Auth is a multifactor authentication server capable of adding identity assurance protection to the servers and desktops you need to interact with on a regular basis, and deep integration into many of the tools that you may use day to day. It also works with pretty much anything that supports RADIUS, so along with your Windows logon it can protect things like your VPNs, firewalls and Unix environments. Conveniently enough, it also integrates smoothly with Kaseya. That way you can accomplish even more from that single pane of glass.

For more information on multi-factor authentication: Click Here

For a look at how much AuthAnvil’s Kaseya integration can be used: Click Here

Author: Harrison Depner

Home Depot: Yet another retail breach.
PCI compliance just doesn’t cut it

Home Depot Security Breach

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

3 Things Your Password Management Solution Must Provide

Password Requirements

When was the last time an employee left your company?
Was it one month ago? Two?

Gone are the days of the lifelong career. Sure, if you work in education there’s the possibility of tenured professors, but for the average MSP there’s no such thing, and as such there is a significant amount of employee turnover. No matter how hard you try to retain your employees, some are going to be taken from you, and some of those employees are bound to be technicians.

It’s always sad whenever a technician leaves a company, but the IT security risk their departure leaves behind can linger even longer. You can lock their personal accounts after they leave and have them return their keycards, but you can’t remove all knowledge of you and your clients systems, applications, networks, and the associated usernames and passwords from their minds.

Now consider the ever increasing risk of a data breach, and the value of your clients’ data.

Your clients expect that, along with whatever other services you provide, you will help protect them from the risk of a breach, yet every time a technician leaves your company a set of keys to unlock your clients’ secured systems is being released into the world. Many businesses would be bankrupted by even a single breach, and your ex-employees have the means of walking casually past their security and into their systems. How do you think your clients would feel if they knew that?

As a business working in IT, the security of all systems, your clients’ and your own, must be at the forefront of your focus. When it comes to passwords, you need to have a plan in place which accounts for technicians leaving your company. Many MSPs I’ve seen lack such a plan, and that runs afoul of the oldest IT truism “always be prepared”. To be well prepared, there are three critical features your plan needs to work successfully…

Auditing

Your system, no matter how it’s set up, absolutely needs some auditing functionality. This allows you to check:

  • Who has accessed certain passwords, and when.
  • If the stored passwords are on par with any complexity or compliance requirements.
  • If the stored passwords are accurate and actually match the ones being used.
  • Who the contact with authority is, should something go wrong.

Access control

No technician should ever need to know every single password at any given time. Access control allows you to restrict that access to need-to-know only. The most common way of accomplishing this is be enacting a role-based access model, where users in certain roles have access to certain passwords. At the minimum your system should allow you to:

  • Control who can access certain passwords.
  • Control what access a user has to passwords (read-only, write-only, hidden, etc.)
  • Securely store the passwords in a central location, while providing access to virtually everywhere.

Automation

An excel spreadsheet just won’t cut it for this requirement. Your system needs to be capable of doing most of these tasks automatically. If you tried to do this all manually, the work required would likely be a full-time job of its own. Your system should be able to automate all of the requirements for auditing and access control, while simultaneously being able to:

  • Automatically change and update passwords on a set schedule.
  • Inform those in authority when a password needs changing that cannot be automated.
  • Automatically enter passwords for users who only need it to log in.

Now, a lot of these requirements sound hard to fulfill. And they are, should you try to set this up yourself. That’s just the thing though, if you were solving for the problem of malware, you wouldn’t design your own in-house antivirus. I mean, you might rebrand some open source solution, but that never ends well.

The same method you use to solve for viruses, email, or any other software requirement, can be applied to password management. Let someone else build the tools, so you don’t have to. You don’t need to invent your own password management system, you just need a password management solution.

While you’re looking for a password management solution, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.

If you want more information on what you need from a password management system: Click Here

If you want to know what I would recommend as a password management system: Click Here

Author: Harrison Depner

Security and Healthcare IT: A HIPAA Compliance Questionnaire

Healthcare Security

As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

  • Are your employees aware of the penalties that will ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Is there someone tasked with checking all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

  • Are there tested and revised plans in place for an emergency?
  • Have the applications and data needed for these emergency plans been analyzed?
  • In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
  • I.T.E.O.A.D… Can all ePHI be restored or recovered?>
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

Kaseya Acquires Scorpion Software for Identity and Access Management

Scorpion Software

Last week Russian criminals stole 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history- CNNMoney. The credentials gathered appear to be from over 420,000 websites — both small and large. Which specific websites were impacted is yet to be disclosed but it’s likely that some “household names” are on the list and will have to deal with the resulting publicity.

Today, companies need to manage access to a growing number of websites and applications. Unauthorized access to sensitive information can cause financial losses, reputation damage, and expose companies to regulatory penalties for privacy violations. According to the Ponemon Institute Research Finding, the US per record cost of a data breach is $201. Multiply the 1.2 billion records stolen by the Russian criminals by the $201 and it is a shockingly high number. A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — this represents a tax by criminals of almost 1 percent on global incomes.

To reduce these exposures, protecting access with the highest levels of security is crucial for IT organizations. But developing strong security requires a balance between making access difficult for hackers and easy to comply with and use for bona fide users. According to Verizon’s Data Breach Investigations Report, “The easiest and least detectable way to gain unauthorized access is to leverage someone’s authorized access”, which means passwords need to be properly managed and protected. Accordingly, IT organizations are faced with several challenges:

  • Recognizing the relentless attempts to acquire security credentials through hacking, phishing and other techniques, preventing unauthorized system access requires more than just password-based access.
  • Passwords are easily shared, guessed and stolen. Managing password access is challenging for employees and IT organizations as the number of systems requiring password access grows.
  • Managing passwords and system access requires significant IT time and resources, so a highly efficient and easy to use administration solution is necessary.
  • Solutions chosen must comply with all prevailing industry standards.

Today, Kaseya took an important step to help its customers address these challenges, with its acquisition of Scorpion Software. The Scorpion Software AuthAnvil product set provides an important addition to the Kaseya IT management solution, offering two factor authentication, single sign-on and password management capabilities.

The solution provides IT groups with:

  • An advanced multi-factor authentication solution which provides a level of security which passwords alone cannot deliver.
  • An effective single sign-on solution with easy access to all systems for employees which avoids the need for sharing or writing down of passwords.
  • Powerful and easy-to-use password management capabilities to drive efficiencies in administering password access.
  • Support for industry standards compliance and auditing including PCI, HIPPA, SOX, CJIS and other standards.

These capabilities are aimed directly at the security and efficiency challenges above, and are essential for MSPs and IT organizations to be able to effectively manage secure access to applications and ensure standards compliance.

Scorpion Software is a longtime partner of Kaseya and has already implemented an integration with Kaseya Virtual System Administrator (VSA), making it easy for existing Kaseya customers to add Scorpion Software’s unique security capabilities to their solutions. Kaseya VSA is an integrated IT Systems Management platform that is used across IT disciplines to streamline and automate IT services, and the integration of Kaseya with Scorpion Software’s AuthAnvil technologies creates an IT management and security solution unmatched in the industry.

Scorpion Software’s AuthAnvil is currently in use by over 500 MSPs around the globe, and is the only identity and access solution to provide two factor user authentication integrated with password management and single sign-on. It allows IT organizations and MSPs to quickly and easily enable and manage secure access to all applications, delivering the highest levels of security and efficiency.

With the acquisition of Scorpion Software, Kaseya continues its work to deliver a complete, integrated IT management and security solution for MSPs and mid-sized enterprises around the world. The combined solution will help IT organizations:

  • Command Centrally: See and manage everything from a single integrated dashboard.
  • Manage Remotely: Discover, manage, and secure widely distributed environments.
  • Automate Everything: Deploy software, manage patches, manage passwords, and proactively remediate issues across your entire environment with the push of a button.

I know that many Kaseya customers who are reading this blog are already Scorpion Software customers. For those who are not, I invite you to visit the Scorpion Software website to learn more and see the product for yourself at www.scorpionsoft.com. Also, for more information, don’t hesitate to reach out to your Kaseya sales representative or email AuthAnvilSales@Kaseya.com.

Author: Tom Hayes

 

Manage Data, Not Devices

security incidents

I recently read Verizon’s 2014 Data Breach Investigations Report which investigated 63,437 confirmed security incidents including 1,367 confirmed data breaches across 50 organizations in 95 countries. The public sector had the highest number of security incidents, whereas the finance industry had the highest number of confirmed data breach incidents (no surprise there!). These security incidents were mostly one of the following:

  • POS Intrusions
  • Web App Attacks
  • Physical Theft/Loss
  • Miscellaneous Errors
  • Crimeware
  • Card Skimmers
  • Cyber Espionage
  • DoS Attacks

Given your industry and the size of your company, some of these may not matter to you (until they happen to you). But there are three types of security incidents that are universally applicable, especially in this age of exploding adoption of mobile devices. They are Insider Misuse, Physical Theft/Loss and Miscellaneous Errors. It just takes a single lapse in security measures for an organization, whether public, private or government, to end up in a story like this:

Iowa State DHS Data Breach – Two workers used personal email accounts, personal online storage and personal electronic devices for work purposes

Further elaborating on the “Insider Misuse” threat, the Verizon report adds that over 70 percent of IP theft cases occur within a month of an employee announcing their resignation. Such departing employees mostly steal customer data and internal financial information. This has been made easier for these employees by permitting them to use their personal devices, which walk out with them when they leave.

Continue Reading…

Page 5 of 5«12345
-->