Archive - Security RSS Feed

Why is it called “Multi-Factor” Authentication? (MFA)

MFA Steps

Why is multi-factor authentication (MFA) “multi-factor” anyways? A simple enough question, right? Well, it’s not as simple as it sounds.

Depending on where you look, you can see references to two-factor authentication, three-factor authentication, strong authentication, advanced authentication. Based on the name, it sounds like these are all just subcategories of multi-factor authentication. Unfortunately, that’s only half true, and that’s also where this question gets complicated.

Which types of authentication are always examples of multi-factor authentication?

Two and three factor authentication are always examples of multi-factor authentication. Multi-factor definition, by definition, is authentication using at least 2 of the 3 possible authentication factors. So yes, two-factor and three-factor authentication are both examples of multi-factor authentication.

What about “strong” and “advanced” authentication?

This is where it gets tricky. Both strong and advanced authentication in use can be considered multi-factor authentication; however, it depends on how the authentication is implemented. To understand what I mean we first need to define what multi-factor authentication is.

What is multi-factor authentication?

The term “authentication” refers to the ability to verify the identity of a person attempting to access a system (presumably someone who is authorized to access that system). The term “factor” then, necessarily refers to the different types of tests someone must successfully complete to identify themselves. For IT security, these factors often filter down into three broad categories:

  • Knowledge: Something you know.

    This is the factor upon which password-only systems rely. To pass a knowledge factor based test, you must prove that you know a secret combination, like a password, PIN, or pattern.

  • Possession: Something you have.

    To authenticate using this factor, you must prove you possess something that only you should have, like a key, or an ID card.

  • Inherence: Something you are.

    Inherence means something that is inherently yours. That usually means a unique physical or behavioral characteristic, tested through some sort of biometric system.

Multi-factor authentication requires a system use at least two of these authentication factors to authenticate users. That’s why it’s “multi-factor” authentication.

Wait… so what was that about “strong” and “advanced” authentication?

Well, multi-factor authentication requires at least two factors be used. Both advanced and strong authentication can use two or three factors; however, the requirements do not require the use of “tests” from different categories. Strong authentication could be achieved by using a password and a security question, while advanced authentication could established with a password and a challenge question. This means that, while all multi-factor authentication solutions count as strong or advanced authentication, not all strong and advanced authentication solutions count as multi-factor authentication.

Why do businesses need multi-factor authentication?

Many groups feel that single-factor authentication is adequate for their needs, but let’s consider something first. You have a bank account, and tied to that bank account you likely have both a debit and a credit card. To access your money you already use multi-factor authentication. You have a debit/credit card (possession), and a pin code/ password (knowledge). Now, consider how much the damage a breach could cost your business. Does your business’ network deserve the same level of protection as your personal bank account, if not more?

Yes, yes it does.

Many industries already require multi-factor authentication! If you work in law enforcement in the United States, then you’re likely required to be CJIS compliant. CJIS compliance requires advanced authentication. If you work in retail, you’re likely PCI compliant. Again, PCI compliance requires multi-factor authentication. If you work in healthcare, then there’s HIPAA to consider. HIPAA is yet another regulation that requires multi-factor authentication. What this demonstrates is that, for IT security, MFA is becoming mainstream.

What’s my recommendation for a multi-factor authentication solution?

Well, no solution should be a one size fits all response. You should be able to customize and tailor any potential solution so that vital resources are protected, without inconveniencing users who don’t require multi-factor authentication. If you’re interested a solution designed from the ground up with security and usability in mind, then I’d recommend “AuthAnvil Two Factor Auth”.

AuthAnvil Two Factor Auth is a multifactor authentication server capable of adding identity assurance protection to the servers and desktops you need to interact with on a regular basis, and deep integration into many of the tools that you may use day to day. It also works with pretty much anything that supports RADIUS, so along with your Windows logon it can protect things like your VPNs, firewalls and Unix environments. Conveniently enough, it also integrates smoothly with Kaseya. That way you can accomplish even more from that single pane of glass.

For more information on multi-factor authentication: Click Here

For a look at how much AuthAnvil’s Kaseya integration can be used: Click Here

Author: Harrison Depner

Home Depot: Yet another retail breach.
PCI compliance just doesn’t cut it

Home Depot Security Breach

What do Home Depot, UPS, and Target have in common? Well, aside from all providing budget-friendly furniture, all three have been the recent target of data breaches involving Point-Of-Sale (POS) units containing customer financial information.

Now, when a data breach occurs, someone always has to play the blame game. “It’s the stores fault. Their IT security wasn’t compliant. Clearly they should have fixed x and prepared for y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is never infallible and *stuff* happens, so wear a helmet and get used to it or get out of the business.

If you want to blame something, blame the reliance placed on regulations as a means of securing customer information. Regulations are not, and have never been a catchall solution. A chef doesn’t make good food because their restaurant passed a health inspection, yet, in IT security, people throw around the types of compliance they have like that’s something significant. That’s not how it works. If you work in retail IT, then PCI compliance isn’t some sort badge of honor, it’s more like an acknowledgement that you’re not incompetent. If you had a room full of people and you wanted to find the most educated, you wouldn’t start by asking who completed grade-school, so if you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions. Compliance is a minimal requirement and, like most minimum requirements, it logically follows that anything greater than it is better. What we need to start asking then is “could this breach have been reasonably avoided?”

These businesses were legally required to be PCI compliant, but there’s so much more to providing IT security than following some paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. That leaves one question remaining, could the Home Depot breach have been reasonably avoided?

I can’t easily answer that. Depending on how you look at it, the breach was both avoidable and unavoidable. It’s impossible to know, because we don’t know if Home Depot did a good job securing their customers data, that information hasn’t been released yet. What I can say, is that if more banks had adopted chip based credit cards, then the breach wouldn’t have been as bad. Chip cards are harder and more expensive to “clone” thus making them less valuable to criminals. Would this have prevented the breach? Probably not. Would it have decreased the damage? Yes, significantly so.

If you think about it though, that’s IT security in a nutshell. There’s no such thing as absolute security. The only absolute in IT security is the absolute chance of any system being breached. P(Breach) ≠ 0 and whatnot. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be. It’s a process of confirming that vulnerabilities are secured as they are discovered.

In summary:

Could more have been done to prevent the Home Depot breach?

Sure, there’s always more that can be done to improve security.

Does the status of their PCI compliance matter?

Not that much, except from a legal standpoint.

Would having stronger security made a difference?

Not necessarily, but it couldn’t have made it worse.

Now I’m not the kind of guy to self-promote in the aftermath of a major breach, but we have a free eBook on how AuthAnvil can help secure Retail IT. It covers how many of our features can help to meet and surpass the requirements of PCI DSS. So, if you’re interested in what PCI compliance actually requires or are looking to beef up your systems security, just Click Here.

Author: Harrison Depner

3 Things Your Password Management Solution Must Provide

Password Requirements

When was the last time an employee left your company?
Was it one month ago? Two?

Gone are the days of the lifelong career. Sure, if you work in education there’s the possibility of tenured professors, but for the average MSP there’s no such thing, and as such there is a significant amount of employee turnover. No matter how hard you try to retain your employees, some are going to be taken from you, and some of those employees are bound to be technicians.

It’s always sad whenever a technician leaves a company, but the IT security risk their departure leaves behind can linger even longer. You can lock their personal accounts after they leave and have them return their keycards, but you can’t remove all knowledge of you and your clients systems, applications, networks, and the associated usernames and passwords from their minds.

Now consider the ever increasing risk of a data breach, and the value of your clients’ data.

Your clients expect that, along with whatever other services you provide, you will help protect them from the risk of a breach, yet every time a technician leaves your company a set of keys to unlock your clients’ secured systems is being released into the world. Many businesses would be bankrupted by even a single breach, and your ex-employees have the means of walking casually past their security and into their systems. How do you think your clients would feel if they knew that?

As a business working in IT, the security of all systems, your clients’ and your own, must be at the forefront of your focus. When it comes to passwords, you need to have a plan in place which accounts for technicians leaving your company. Many MSPs I’ve seen lack such a plan, and that runs afoul of the oldest IT truism “always be prepared”. To be well prepared, there are three critical features your plan needs to work successfully…

Auditing

Your system, no matter how it’s set up, absolutely needs some auditing functionality. This allows you to check:

  • Who has accessed certain passwords, and when.
  • If the stored passwords are on par with any complexity or compliance requirements.
  • If the stored passwords are accurate and actually match the ones being used.
  • Who the contact with authority is, should something go wrong.

Access control

No technician should ever need to know every single password at any given time. Access control allows you to restrict that access to need-to-know only. The most common way of accomplishing this is be enacting a role-based access model, where users in certain roles have access to certain passwords. At the minimum your system should allow you to:

  • Control who can access certain passwords.
  • Control what access a user has to passwords (read-only, write-only, hidden, etc.)
  • Securely store the passwords in a central location, while providing access to virtually everywhere.

Automation

An excel spreadsheet just won’t cut it for this requirement. Your system needs to be capable of doing most of these tasks automatically. If you tried to do this all manually, the work required would likely be a full-time job of its own. Your system should be able to automate all of the requirements for auditing and access control, while simultaneously being able to:

  • Automatically change and update passwords on a set schedule.
  • Inform those in authority when a password needs changing that cannot be automated.
  • Automatically enter passwords for users who only need it to log in.

Now, a lot of these requirements sound hard to fulfill. And they are, should you try to set this up yourself. That’s just the thing though, if you were solving for the problem of malware, you wouldn’t design your own in-house antivirus. I mean, you might rebrand some open source solution, but that never ends well.

The same method you use to solve for viruses, email, or any other software requirement, can be applied to password management. Let someone else build the tools, so you don’t have to. You don’t need to invent your own password management system, you just need a password management solution.

While you’re looking for a password management solution, let me throw one more factor into the mix. If you’re reading this blog at blog.kaseya.com, there’s a good chance that you’re likely a Kaseya customer. If you are, or you’re interested in becoming one, make sure that the solution you choose supports a Kaseya integration. That way you can accomplish even more from a single pane of glass.

If you want more information on what you need from a password management system: Click Here

If you want to know what I would recommend as a password management system: Click Here

Author: Harrison Depner

Security and Healthcare IT: A HIPAA Compliance Questionnaire

Healthcare Security

As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

  • Are your employees aware of the penalties that will ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Is there someone tasked with checking all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

  • Are there tested and revised plans in place for an emergency?
  • Have the applications and data needed for these emergency plans been analyzed?
  • In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
  • I.T.E.O.A.D… Can all ePHI be restored or recovered?>
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

Kaseya Acquires Scorpion Software for Identity and Access Management

Scorpion Software

Last week Russian criminals stole 1.2 billion Internet user names and passwords, amassing what could be the largest collection of stolen digital credentials in history- CNNMoney. The credentials gathered appear to be from over 420,000 websites — both small and large. Which specific websites were impacted is yet to be disclosed but it’s likely that some “household names” are on the list and will have to deal with the resulting publicity.

Today, companies need to manage access to a growing number of websites and applications. Unauthorized access to sensitive information can cause financial losses, reputation damage, and expose companies to regulatory penalties for privacy violations. According to the Ponemon Institute Research Finding, the US per record cost of a data breach is $201. Multiply the 1.2 billion records stolen by the Russian criminals by the $201 and it is a shockingly high number. A Washington think tank has estimated the likely annual cost of cybercrime and economic espionage to the world economy at more than $445 billion — this represents a tax by criminals of almost 1 percent on global incomes.

To reduce these exposures, protecting access with the highest levels of security is crucial for IT organizations. But developing strong security requires a balance between making access difficult for hackers and easy to comply with and use for bona fide users. According to Verizon’s Data Breach Investigations Report, “The easiest and least detectable way to gain unauthorized access is to leverage someone’s authorized access”, which means passwords need to be properly managed and protected. Accordingly, IT organizations are faced with several challenges:

  • Recognizing the relentless attempts to acquire security credentials through hacking, phishing and other techniques, preventing unauthorized system access requires more than just password-based access.
  • Passwords are easily shared, guessed and stolen. Managing password access is challenging for employees and IT organizations as the number of systems requiring password access grows.
  • Managing passwords and system access requires significant IT time and resources, so a highly efficient and easy to use administration solution is necessary.
  • Solutions chosen must comply with all prevailing industry standards.

Today, Kaseya took an important step to help its customers address these challenges, with its acquisition of Scorpion Software. The Scorpion Software AuthAnvil product set provides an important addition to the Kaseya IT management solution, offering two factor authentication, single sign-on and password management capabilities.

The solution provides IT groups with:

  • An advanced multi-factor authentication solution which provides a level of security which passwords alone cannot deliver.
  • An effective single sign-on solution with easy access to all systems for employees which avoids the need for sharing or writing down of passwords.
  • Powerful and easy-to-use password management capabilities to drive efficiencies in administering password access.
  • Support for industry standards compliance and auditing including PCI, HIPPA, SOX, CJIS and other standards.

These capabilities are aimed directly at the security and efficiency challenges above, and are essential for MSPs and IT organizations to be able to effectively manage secure access to applications and ensure standards compliance.

Scorpion Software is a longtime partner of Kaseya and has already implemented an integration with Kaseya Virtual System Administrator (VSA), making it easy for existing Kaseya customers to add Scorpion Software’s unique security capabilities to their solutions. Kaseya VSA is an integrated IT Systems Management platform that is used across IT disciplines to streamline and automate IT services, and the integration of Kaseya with Scorpion Software’s AuthAnvil technologies creates an IT management and security solution unmatched in the industry.

Scorpion Software’s AuthAnvil is currently in use by over 500 MSPs around the globe, and is the only identity and access solution to provide two factor user authentication integrated with password management and single sign-on. It allows IT organizations and MSPs to quickly and easily enable and manage secure access to all applications, delivering the highest levels of security and efficiency.

With the acquisition of Scorpion Software, Kaseya continues its work to deliver a complete, integrated IT management and security solution for MSPs and mid-sized enterprises around the world. The combined solution will help IT organizations:

  • Command Centrally: See and manage everything from a single integrated dashboard.
  • Manage Remotely: Discover, manage, and secure widely distributed environments.
  • Automate Everything: Deploy software, manage patches, manage passwords, and proactively remediate issues across your entire environment with the push of a button.

I know that many Kaseya customers who are reading this blog are already Scorpion Software customers. For those who are not, I invite you to visit the Scorpion Software website to learn more and see the product for yourself at www.scorpionsoft.com. Also, for more information, don’t hesitate to reach out to your Kaseya sales representative or email AuthAnvilSales@Kaseya.com.

Author: Tom Hayes

 

Manage Data, Not Devices

security incidents

I recently read Verizon’s 2014 Data Breach Investigations Report which investigated 63,437 confirmed security incidents including 1,367 confirmed data breaches across 50 organizations in 95 countries. The public sector had the highest number of security incidents, whereas the finance industry had the highest number of confirmed data breach incidents (no surprise there!). These security incidents were mostly one of the following:

  • POS Intrusions
  • Web App Attacks
  • Physical Theft/Loss
  • Miscellaneous Errors
  • Crimeware
  • Card Skimmers
  • Cyber Espionage
  • DoS Attacks

Given your industry and the size of your company, some of these may not matter to you (until they happen to you). But there are three types of security incidents that are universally applicable, especially in this age of exploding adoption of mobile devices. They are Insider Misuse, Physical Theft/Loss and Miscellaneous Errors. It just takes a single lapse in security measures for an organization, whether public, private or government, to end up in a story like this:

Iowa State DHS Data Breach – Two workers used personal email accounts, personal online storage and personal electronic devices for work purposes

Further elaborating on the “Insider Misuse” threat, the Verizon report adds that over 70 percent of IP theft cases occur within a month of an employee announcing their resignation. Such departing employees mostly steal customer data and internal financial information. This has been made easier for these employees by permitting them to use their personal devices, which walk out with them when they leave.

Continue Reading…

Page 5 of 5«12345
-->