10
Dec, 2021
password_spraying_80058904_400.jpg

Why Is Microsoft Warning Users About Password Spraying?

password_spraying_80058904_400.jpg

As modern warfare has evolved, so too has cyberwarfare. There is always a war occurring in cyberspace, where hackers attempt to outdo security researchers. One such example of hackers—often sponsored by government agencies—attempting to engage in cyberwarfare can be seen in the United States and Israeli technology sectors, which have become the target of password spraying.

Password spraying involves hacking into multiple accounts by spamming commonly used passwords. Considering how frequently people use common passwords, as well as variations of those passwords, on3e can imagine how effective this tactic can be.

In the scenario outlined above, Microsoft has issued a warning that about 250 Microsoft Office 365 customers in the defense technology sectors have been targeted by password spraying tactics. Microsoft calls this group DEV-343, with the DEV in the name representing the fact that the attacks are, at this time, not sponsored by state actors. This group is thought to originate from Iran.

Less than 20 of the targets were actually compromised, but it’s still shocking to see high-profile targets opting for commonly used passwords. Microsoft has also reported that organizations that use multi-factor authentication are at less risk than those that don’t. As reported by Microsoft, security professionals should be wary of suspicious connections enabled by Tor networks: “DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.”

Your business should always be prepared to take a look at traffic on its network—especially if the activity is suspicious in some way, like during off-times when nobody has any reason to be accessing your infrastructure. Passwords are only one part of a cybersecurity strategy, though, and you should be implementing security solutions like multi-factor authentication whenever possible.

NuTech Services can help your business keep itself secure from threats of all kinds. To learn more, reach out to us at 810.230.9455.

28
May, 2021
204234710_best_practice_400.jpg

The Latest Password Best Practices from the National Institute of Standards and Technology

204234710_best_practice_400.jpg

Passwords are the first line of defense your accounts have against the myriad of threats out there. It’s imperative that you follow industry best practices when creating them so as to maximize security. Thankfully, the latest guidelines from the National Institute of Standards and Technology, or NIST, make creating secure passwords easy.

What is the NIST?

The NIST has been the go-to authority on password creation standards for quite some time, and while they constantly change their advised practices, it is to keep up with the endlessly-shifting nature of cybersecurity. Their most recent update to password best practices can be seen in the below guidelines.

New Guidelines

Several corporations currently use the NIST guidelines and all Federal agencies are expected to adhere to them as well. Here are the latest steps in creating a secure password.

1. Length is More Important than Complexity

Password complexity has been one of the pillars of password security for years, but these days, the guidelines disagree. NIST suggests that the longer the password, the harder it is to decrypt. In fact, according to the NIST, organizations that require new passwords to be complex with numbers, symbols, upper and lower-case letters, etc, actually make the password less secure.

There are two major reasons for this determination. The first is that users often make their passwords far too complicated and forget them, leading to the eventual addition of something like an exclamation point or a 1 at the end of the password. This doesn’t make the password much more complex. Furthermore, users might be tempted to use the same complex password for multiple accounts, which is certainly not going to help their cause.

2. Eliminate Password Resets

Most businesses require that their staff reset their passwords every so often, whether it’s every month or every few months. The strategy is supposed to ensure that even compromised passwords can only be used for so long, locking would-be hackers out after the password has been changed. NIST suggests that this practice is actually counterproductive to account security.

Their reasoning is that, if people have to set passwords up too frequently, they won’t be as careful when creating them. Furthermore, when people do change their passwords, they are more likely to use the same pattern to remember them. If a previous password has been compromised, there is a good chance that this pattern can give the attacker clues into what the current password is.

3. Don’t Hurt Security by Eliminating Ease of Use

A big concern that many network administrators have is that, if they remove options such as showing a password while the user types it in or allowing copy/paste, it is more likely that the password will be compromised. The truth is that ease of use does not compromise security; it turns out that making it easier for people to properly authenticate themselves is better for security than restricting them.

4. No More Password Hints

Some systems allow for password hints where the user can assign a question and a designated answer to access the account, should they forget the password. This system in itself is flawed and the very reason why many organizations have been hacked. Thanks to social media websites and the Internet as a whole, it’s not impossible to imagine a hacker using websites or other resources to look up information on a particular user to gain access to an account. And you know what they say; once it’s on the Internet, it’s there to stay.

5. Limit Password Attempts

Placing a limit on password attempts is beneficial for your organization’s network security in just about every circumstance imaginable. Password remembrance is usually one of two things; either the user will remember the password or they will have it stored somewhere. Locking users out of their account for a short period of time can be a great way to dissuade would-be hackers from trying to guess a user’s password.

6. Use Multi-Factor Authentication

At NuTech Services, we like to reinforce with our clients that multi-factor or two-factor authentication is imperative for every account possible. The NIST recommends that users be able to demonstrate at least two of these three authentication measures before a successful login. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If at least two of these criteria are met, then chances are you are supposed to be on the network. Plus, consider how hard it would be for a hacker to gain access to more than one of the above. It just makes sense.

If you don’t make password security a priority for your business, you might come to regret it later, and no one wants to be the one responsible for a data breach. If you need a hand with implementing a password management system or other security best practices, reach out to us at 810.230.9455.

20
Apr, 2018
which_authentication_is_best_400.jpg

Which Authentication Option is Best?

which_authentication_is_best_400.jpg

Smartphones have steadily increased in their capabilities, and as they have done so, they have resultantly gathered more and more data that needs to be secured against potential security threats. Fortunately, there are also more ways to protect your smartphone than ever before. For today’s blog, we’ll take a look of the options you have to secure your devices.

The Password
Passwords are the reigning king of authentication. A well-regarded password is your average user’s go-to; and, if not created with security in mind, can be very problematic. Since users have problem remembering new passwords, even if it’s one that they are able to choose, many users will create obvious passwords that can easily be guessed or hacked.

Conversely, a password (or the passphrase) can be one of the strongest security measures available for your mobile device, as it is important for every mobile user, especially one that has access to business networks, to secure their devices.

The Pattern Lock
The second option we will go over is called a pattern lock. It is the three-by-three swipe-based gesture that unlocks the device. This natural and intuitive lock is very fast, and if all nine dots are used in a pattern, it provides close to 400,000 possible configurations. Pattern lock comes up short in a couple ways. People tend to use shapes that are more easily guessable. It’s also relatively easy to ascertain the password if you watch a user’s hand.

The PIN
The PIN authentication option is a relatively strong one, as the typical four numeral option has over 10,000 different combinations. Android features the ability to support up to 16 digits. That’s 10 quadrillion different combinations. Of course, not many people are going to be able to remember a 16-digit PIN (and how annoying would it be to have to enter that every time you unlock your phone?). Simple pins are the norm, and therefore not very secure.

The Fingerprint Scanner
This authentication method is now becoming standard on most smartphones and has by-in-large been very popular. It’s secure enough to be trustworthy, and very fast. Moreover, many financial applications utilize the fingerprint as a form of authentication, making the option that much more attractive. The only drawbacks are that sometimes manufacturers will put it in an inconvenient spot on the device and that it doesn’t work with gloves.

Using the Face
All newer smartphones have been taking advantage of facial recognition software. This allows a user to gain access by just glancing at the phone. Since this is an operating system-dependent option, most phones will be getting this option. It may not currently be the most secure option, but as the technology advances, this will be the go-to method for all authentication.

Other Security Measures
Many phones now also offer security features that rely on alternative forms of authentication. On-body detection keeps the device unlocked whenever it is being carried – regardless of who is carrying it. Other options such as having your device unlock when a user says “Okay, Google” is more for convenience than privacy or device security.

What’s the Best Option?
Currently, if you are looking for the most secure and accessible option, your best bet is to use the fingerprint scanner on your phone. Back that up with a five-or-six-digit PIN and you’ll be good to go. In the future, expect the facial recognition software to improve precipitously; and, therefore, be the most secure (and popular) option to get into a mobile device.

What form do you use? Leave your favorite security methods in the comments section below.