Password Lock

What are Passphrase Passwords?

Whether you are accessing emails on your smartphone or documents on your work PC, you will typically be asked to prove who you are by providing credentials. Passwords can be hard to remember but then again, a password that lacks complexity can quickly become a weak gateway allowing an unauthorized person to read your emails and compromise your identity. To improve your security and reduce risk we recommend using a phrase or sentence, not one word, as your password​.

What is brute force cracking?

The challenge we face in an evolving digital world is that there are developers out there creating sophisticated and effective methods to brute force passwords. This cyberattack method is basically the activity of systematically submitting millions of character combinations in an attempt to work out the key (or encryption algorithm) to decrypt and gain access into your system. There are, however, things you can do to strengthen the complexity of your password.

What makes ‘passphrases’ stronger than normal passwords is not only are they unique and easier to remember, but the longer and more complex the passphrase the better.

Let’s do a quick ‘What? Why? And Where?’:

What is a Passphrase? – Using a phrase or sentence, not one word, as your password.

A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Instead of using one word, you use a sentence to authenticate.

Passphrases are most effective when they are:

  • Unique – not a famous phrase or lyric, and not re-used
  • Longer – phrases are generally longer than words
  • Complex – naturally occurring in a sentence with uppercase, symbols and punctuation
  • Easy to remember – saves you being locked out
  • Used with multi-factor authentication.

Why use a Passphrase? – Greater security & more convenience.

  • Harder to crack against common password attacks
  • Easier to remember than random characters
  • Meets password requirements easily – upper and lower-case lettering, symbols and punctuation

Where do I use Passphrases? – For all fixed and mobile devices.

Passphrases will significantly increase security across all of your business’ devices.

The below comparison chart is a security breakdown of Passwords vs Passphrases, and how much it costs on the dark web to break through its security.

PASSWORD/ PASSPHRASE TIME TO CRACK EASY TO REMEMBER COMMENTS
Brute Force Attack Dictionary Attack
password123 Instantly Less than AU$0.01 Instantly Less than AU$0.01 Very Easy (too easy) One of the most commonly used passwords on the planet.
Spaghetti95! 48 hours AU$587.50 Less than half an hour AU$6.10 Easy Some complexity in the most common areas, and very short length. Easy to remember, but easy to crack
5paghetti!95 24 hours AU$293.70 Less than 1 hour AU$12.20 Somewhat Easy Not much more complexity than above with character substitution, and still short length. Easy to remember, but easy to crack.
A&d8J+1! 2.5 hours AU$30.60 2.5 hours AU$30.60 Very Difficult Mildly complex, but shorter than the above passwords. Hard to remember, easy to crack (against BFA).
I don’t like pineapple on my pizza! More than 1 Year More than AU$107,222.40 More than 40 days More than AU$11,750.40 Easy Excellent character length (35 characters). Complexity is naturally high given the apostrophe, exclamation mark and use of spaces. Very easy to remember, and very difficult to crack.

Tips for using PassPhrases more securely

  • Use a different passphrase for different accounts.
  • Never share the method on how you create your passphrases with anyone.
  • Only log into workstations and devices that you can trust. Avoid using public computers to log into your accounts.
  • Multi-factor authentication is much more secure that passphrases, and adds a second layer of security.
  • Just remember mobile device PINs are no different to a password. The longer the password the better, and if possible, change to using passphrases or biometrics instead.

Who’s in charge? The need for third party (and internal) admins

We frequently receive requests from clients to grant administrative access to third parties or internal staff. Third parties often need some form of access to manage the application they are responsible for, and internal admins sometimes assist with running IT. ABT will generally be hesitant to provide these administrative credentials. Here is why.

Ultimately, we sign a contract with you where we take on responsibility for your network. We take this very seriously and run your IT like it is our own. We employ skilled staff, vetted for their abilities, security posture and personalities, and train them to develop their competencies and keep their knowledge up to speed. Surely there is the occasional mistake, and when that happens, we have a team of 40 staff and the backing of an industry channel to resolve the issue. And, very importantly, we have our staff sign NDA’s, so your data is protected.

Once we give “others” access to your network all of that is in vain. We do not know the people behind the often un-personal accounts we are to create. We do not know their skills, their level of risk-aversion or willingness to admit they did something wrong. Our systems and processes are kept protected with industry grade security standards. We are not saying we cannot be breached, but the chance is slim. Can your third party say the same? Remember they are only responsible for their application but can break your whole network, whilst they may not know the first thing about networks or servers.

And then the internal admins. We understand it is important for owners to have some level of access beyond that of the MSP. That completely makes sense. But to have an internal staff member have a fully operational domain administrative account or Office 365 global admin account often provides a risk. It is like going to the dentist and bringing your own drill. Of course, we get you to sign a document that waives all our responsibility in case something goes wrong, but we would rather not have to use that excuse. And don’t forget internal admins typically have access to all data, all email in your organization, including financial, salary and executive information.

In general, we will only provide the minimum level of administrative access required to get the job done for your third party or internal admin, and have these account have limited expiry dates. Ideally:

  • We don’t give our any administrative credentials other than an emergency admin account (the “break the glass” account), provided to the business owner “just in case”. Use of this account will be monitored.
  • Third parties can do their work while we log them in and look over their shoulder.
  • Your internal admin will have to trust us to do our job, and if access is required, only a limited level of access is granted.

Please understand we are not here to make your work harder, these measures are to protect you (and ourselves….)

The latest modern threat – The “Illicit Consent Grant Attack”

The latest cyberattack example to hit Australian shores is what has been called the “illicit consent grant attack”. Rather than simply trying to catch your password or duping you into clicking on a link that installs a virus, the criminals behind this attack are more sophisticated.

We all use “apps” in our daily life. Think of Dropbox or SalesForce as examples of an app. If you want to use these, you will need to give the app access to your data. Criminals can write their own Azure -registered apps and make them available to you. The app requests access to data such as contact information, email or documents. The attacker tricks a user to grant the application access through a phishing attempt (sending you an email with a link) or by injecting malicious code into a website. When you then grant access to the app, it has account-level access to all your data without the need to have an account. What is worse, if we find out you’ve been breached standard remediation actions such as resetting passwords, MFA and even restoring data from backup may not work. All because an “app” asked for access and a user clicked yes.

For now, ABT’s security team have disabled the ability for users under our management to grant access for applications in your tenant. If users are required to grant access, they will need to let us know and we can help them out. Similarly, we are analyzing the extensive list of applications that have been granted consent in our client’s tenants and reviewing these for known threats.

Users are to be advised:

  • Never click on a link in an email of which the source is not 100% trustworthy (better is to never click on a link)
  • Do not visit websites where applications can be downloaded and installed
  • Never grant an application unvetted access to company data

How can we help protect you?

The security landscape continually changes. New vulnerabilities and threats are discovered all the time. It is important for you to know that you can rely on ABT to protect you as well as possible.

It is a little bit like protecting your home. 100% guaranteed security is impossible, but if you take all the recommended precautions (lock all your doors and windows with proper locks, have a working alarm system (or a noisy dog) and leave a light on if you go away for a while) you may just have enough deterrent for someone with bad intentions to skip your house.

Data and Information security is no different. Some of the mitigation strategies you can use are:

  • Ensure Multi-Factor authentication is enabled and use it.
  • Have a strong password that you do not use in multiple places.
  • Let us manage Microsoft Windows Updates on your workstation so it is kept up to date.
  • Always make sure an email is from a trustworthy sender.
  • Never click on a link in an email asking you to log in to something.
  • Make sure your important data is always backed up.
  • Limit the third party and internal administrative accounts on your network.
  • Use a VPN (Virtual Private Network) to connect to the office when you work remotely.
  • Do not use public Wi-Fi when you are connecting to company resources.
  • Stay away from “Social Logins”, for example where Facebook allows you to log in to a service giving the service access to your data and email.
  • Use a password manager to store all your credentials, rather than saving them in your browser.
  • Limit revealing personal info on social media. The posts where people share their first concert, favourite restaurant, the name of their pet and where they met their significant other may be interesting to see for their friends, but it also provides data that can be used to access accounts.

Our security specialists can assist you with performing an extensive security audit on your systems to reveal vulnerabilities you probably were not aware of. Preventing information breaches to occur is better than going through the very costly remediation and restoration required after a breach.

Data Security Breaches – What you need to know

Almost immediately after clients started to work from home the number of data breaches increased. Our Information Security team, led by security specialists such as Jarred Jenkins and Damien Coultis, will pick up new cases of unlawful access to data, file encryption attacks and breached security perimeters almost daily.

Typically our engineers will first assess the gravity of the situation, ascertain if a breach is ongoing and whether personally identifiable information has been accessed. We will then take precautions to ensure forensic analysis is possible by taking a backup snapshot of the device (workstation or server) affected, and then start remediation so that you, the client, can go back to work as quickly as possible. Often we will need to restore data from backup and take precautions such as resetting passwords.

It is important to note that even though ABT security specialist are very knowledgeable, and trained to respond in line with industry standards such as NIST , ISO 27001 and the ACSC’s “Essential Eight”, ABT are not forensic data analysist. We can assist you in determining the seriousness of a potential attack on your data integrity but will always recommend you employ the services of information security forensic specialists. We can of course recommend partners and work alongside with them on your behalf. The responsibility to report personally identifiable data breaches to the OAIC however, will always remain with you.

Why You Should Ensure Your IT Infrastructure Is Compliant

As you are all aware in February of this year, the Notifiable Data Breaches Scheme commenced in Australia. You as an entity now have the obligation of reporting when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

With the ongoing issues of Data Security and Cybercrime, the European Union has just released their own Data Protection Policy: the General Data Protection Regulation, also referred to as GDPR. This regulation ensures there is one set of data protection rules for all companies operating in the EU, wherever they are based. The most important aspect of these new laws is ensuring your own Company Data is protected and secure. With new threats emerging every day, the risks of not securing your network is more dangerous than ever, especially for companies. Verizon stated that 61 percent of breach victims in 2017 were businesses with under 1,000 employees.

With security and compliance an integral aspect of all companies, in recent months we have been contacting you by either email or phone to discuss your IT infrastructure. Please take these calls and Security Audit notices with serious consideration. If you receive tickets that our technicians are investigating excessive log-in attempts, and request a security audit – please do so. With businesses falling victim to a ransomware attack every 14 seconds, there is no time to waste. We as your Managed Services Provider are doing our best to make sure your company is safe & secure against all threats; however, we need your cooperation to do so.

There’s no question that the situation with cybercrime is incredibly serious. It is not a matter of if you will get targeted, it is when. Products and solutions that have provided a foundation for a small business’s IT 2 years ago are often not adequate to offer full protection against these current threats.

There is no single solution that will fully protect your business, and some businesses may not be able to implement all the recommendations to be fully compliant. Our aim is to provide the required information and recommendations necessary for the business owner to make an educated decision on security and business continuity.

Below are the top 10 minimum requirements for all businesses to consider for increased security:

  1. Enterprise Grade firewall with Advanced Threat Protection for on premise data.
  2. Implementation of VPN for remote access into the business.
  3. Ensure on premise data is backed up to dual destinations, including one off-site.
  4. Implement Advanced Threat Protection on all incoming emails to protect against malicious links.
  5. Migrated emails to Office 365 where possible to reduce the risk of downtime
  6. Ensure all server Hardware is in warranty and all software assurance is maintained
  7. Ensure Office 365 is backed up , including Mail Archiving.
  8. Understand the business continuity plan and time to recovery (virtualisation, live backups)
  9. Draft a Business Disaster Recovery Plan.
  10. Undertake Regular Network and Security Audits including passwords changes.

We want to ensure your company IT infrastructure if as secure as possible. If you would like to discuss your security options further, please contact us sooner rather than later.

P: 1300 705 062

E: sales@abtechnologies.com.au

 

How to recognize phishing email messages, links, or phone calls

Phishing email messages, websites, and phone calls are designed to steal money. Cybercriminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

Cybercriminals also use social engineering to convince you to install malicious software or hand over your personal information under false pretenses. They might email you, call you on the phone, or convince you to download something off of a website.

What does a phishing email message look like?

Here is an example of what a phishing scam in an email message might look like.

  • Spelling and bad grammar.Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam. For more information, see Email and web scams: How to help protect yourself.
  • Beware of links in email.If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.

Links might also lead you to .exe files. These kinds of file are known to spread malicious software.

  • Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised. For more information, see Watch out for fake alerts.
  • Spoofing popular websites or companies.Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows. For more information, see Avoid scams that use the Microsoft name fraudulently.

Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered.

Beware of phishing phone calls

Cybercriminals might call you on the phone and offer to help solve your computer problems or sell you a software license. Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.

Once they’ve gained your trust, cybercriminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it. Once you do this, your computer and your personal information is vulnerable.

Treat all unsolicited phone calls with scepticism. Do not provide any personal information.

Schedule a meeting with ABTechnologies to discuss developing a strategy that provides real business IT security.

Source: Microsoft

 

The Smarter SMB’s Guide to Ransomware e-book

One billion dollars.

That’s how much money cybercriminals made in 2016. It’s only going to get worse as threats become more sophisticated, launching attacks gets easier, and more ransomware victims succumb to extortion.
Fortunately, you don’t have to be a victim. A new e-book prepared by the ransomware experts at Barracuda shows you exactly how to make your organisation ransomware-proof.