Approximately two billion records were stolen between July and October 2019. That’s just in one quarter of a year! This is several times more than what was stolen last year – half a billion records. Even as organizations continue to invent new technology and pump in more and more funds (an estimated $124 billion in 2019) to secure data, the number of breaches also continues to rise – at an alarming rate!
It’s becoming evident that cybersecurity software solutions alone are not enough anymore. There is an urgent need to train employees and bring in experts who can close the loopholes left by software solutions. Therein arises the concept of offensive security.Continue reading Understanding Offensive Security
Just last year, the popular Q&A site Quora suffered a data breach, as reported by Techworld in their article on UK’s most infamous data breaches. This just goes to show that even the best of businesses are finding it a challenge to secure their data and vital business information in this age of digital advancements.
IT security is, no doubt, an overwhelming, daunting, and expensive task. With cybercriminals getting more advanced and sophisticated, organizations are struggling to find security solutions that will effectively counter them.Continue reading How Technology Can Simplify IT Security
ADFS (Active Directory Federation Services) is an SSO solution created by Microsoft to authenticate users logging into applications which are incompatible with Integrated Windows Authentication (IWA) and Active Directory (AD).
ADFS provides organizations with the flexibility needed to simplify the user experience while improving the control that admins have over user accounts across owned as well as third-party applications. Since ADFS implements SSO, your employees are required to remember only one set of credentials for all the applications.Continue reading What is ADFS and why do you need it?
Data protection and data privacy are so closely linked that people (and sometimes even organizations) tend to think of them as synonyms. However, understanding the difference between the two is crucial to ensuring that both protection and privacy are maintained.Continue reading Data Protection & Data Privacy – A difference that matters
As mobile phones became more sophisticated, their usage shifted from being communication oriented to application oriented. But phone numbers were never intended to be used as secure identifiers – their purpose is to simply act as subscriber identifiers during call routing. When applications use phone numbers in their login processes, it can give attackers and hackers an advantage.
Here are a few ways in which your OTP can be intercepted by hackers:
Man in the Middle attack
This is a type of eavesdropping attack in which a hacker places himself as a proxy or relay between the OTP sender and receiver. For the sender and receiver, the communication will seem like it is happening only between those two, whereas it is actually passing through an impersonator. Black hat hackers often hack into financial websites and place high-level codes which will allow them to intercept messages between banks and users, making it convenient for him/her to access an account.
Malware attack
Ready-to-download malware which can easily hack into a user’s mobile devices are available online. In addition to grabbing your SMS content, these can also access other areas of your phone like your gallery and directory to extract more personal information. In fact, a few of these malware are disguised as mobile applications like fitness trackers, timers, alarm clocks, etc.
SIM cloning attack
Investigative agencies use SIM cloning attacks to monitor and track suspects. However, SIM cloning modules are easy to find and purchase by anyone if they look hard enough. Using this, a user is cut off from his/her mobile network and calls and messages are redirected to the new SIM in the attacker’s phone. To carry out a SIM cloning attack, the SIM being cloned has to be of the GSM type.
SMS-C hack attack
All messages are required to pass to SMS-C servers placed in a mobile service provider’s network. Only after being processed by the SMS-C servers is the message transmitted to a mobile phone. If hackers manage to hack SMS-C servers, they can very easily gain access to all the messages entering and exiting the network. SMS-C servers are often protected by high-end security solutions which are hard to break through. However, it is not impossible.
Brute force attack
In brute force attacks, any and all combinations of numbers are tried to get the right OTP. If the number of entries is limited, brute force attacks can become ineffective in gaining access to an account, simply due to the number of combinations available. It also helps if the OTP is 6 digits instead of 4 digits as the combinations required to successfully execute a brute force attack increases by a factor of 100. Due to such a poor success rate, brute force attacks are not preferred by hackers.
For organizations, there is no reliable way of finding if your employees’ numbers have been compromised. To ensure that your network is secure, we suggest looking for a less-risky option for authenticating your users. You could go for an improved multi-factor authentication method like using the biometrics of a person to verify his/her identity. While there are more sophisticated attacks which can hack a biometric authentication system, it would be almost impossible to recreate a person’s thumbprint or retina blood pattern.
With Akku from CloudNow Technologies, you can easily create a fool-proof identity and access management system by integrating multi-factor authentication using biometric scanners in your login process. To make a significant improvement to your network security by enforcing biometric multi-factor authentication, get in touch with us now.
Is the only thing standing between your business’ critical data and a cyber attack a set of usernames and passwords? If yes, then it’s definitely time for a security upgrade for your cloud and on-premise applications.
We are increasingly using applications on our smartphones for business and personal purposes. Everyday activities have become much easier and more efficient to perform; what used to take us days to process can take us seconds today.
Adaptive authentication, method for enforcing the right authentication factors depending on users profile and tendencies. It acts to balance the level of trust against risk.
Adaptive authentication is the way that two factor authentication or multi factor authentication can be configured or deployed.
Identity management encompasses several operational mechanisms for managing users across a large system or network of applications. Two of the most prominent of those are Single Sign-on (SSO) and Federated Identity Management. Due to its evolving nature, identity and access management has several terms thrown around ambiguously. Even among developers, major differences are often missed while talking about federated identity and SSO. In this article, we aim to break down the difference between the two.
Most people use a Password Manager to save their account passwords. A password manager is an app or device which serves as a single collection point for all of a user’s account credentials. LastPass and Dashlane are two well-known password managers in the market. The usage of a password manager presents a security risk in case of a data breach. In fact, as per the Independent, the password manager LastPass was hacked and a data breach did occur, compromising user credentials.
Another high-risk method that many users follow is to save their passwords in their browsers, and use auto-fill for convenience.
In today’s world, data breaches are the highest level of threat – don’t forget, all your data is being protected by your passwords! No security initiative can come with 100% convenience – but it is important to understand and prioritize security.
This is even more important for enterprises, where the tools they are providing their users to manage their passwords are eventually protecting the company’s data.
There are enterprise IAM tools available in the market which help enterprises to provide a secure single sign-on (SSO) and other access control lists such as IP- and device restrictions, time and location restrictions, and multi-factor authentication. These functionalities help end users as well as administrators to protect company data with additional layers of protection.
Delving deeper into MFA as a means to improve password security, the trend today is that many leading SaaS providers have started deprecating SMS as the medium to send the OTP, since this is an old-school method and comes with dependencies in order to serve its purpose. The modern and more convenient way to run an MFA is using TOTP and push notification.
Implementing a single sign-on (SSO) with an MFA is a powerful way to boost the security of your passwords while ensuring a minimal compromise on the convenience front. And of course, type your password each time instead of saving it in your browser or a password manager to minimize the security risk.
Your password – your secret passphrase or PIN that you use for your email, social media profile, or applications at work – is necessary for you to gain access to your accounts. But more importantly, your password plays a critical role in ensuring that no one else has access to your accounts, ensuring the security and privacy of your own as well as your organization’s data and applications.
With advancements in technology, it is important to be aware that there are equally advanced ways in which people steal information belonging to others, and even more ways through which they can misuse that information. Therefore, it goes without saying that secure passwords are of prime importance.
Common Password-Related Mistakes
You can’t blame yourself for being naturally inclined to choose a simple password that will be easy to remember. Unfortunately, these are the very same passwords that are also easy to guess or crack with a hacking software. Remember that, if information about you that can be found online – your date of birth, favourite colour, pet’s name, and so on – is incorporated into your password, it becomes even more vulnerable.
Another mistake made by most people is that a common password is used across multiple online accounts. The problem with doing this is, if someone manages to crack your password to one account, you are giving them free access to the rest!
Writing down your password or saving it somewhere online? This is a very naive act that can put your entire online data at risk of being accessed and stolen easily. Some of the other mistakes you might be making when it comes to passwords is that you don’t change the factory-set or default password, you use the same password for too long, and so on.
Tips to Set Up a Secure Password
Create a long password with a minimum length of 10-12 characters
Use a combination of uppercase letters, lowercase letters, numbers, and special characters
Special characters need to spread out across the password and not be limited to the first or last place
Do not use the same password for multiple security points
Change your passwords every 1-3 months
Avoid using words with obvious references to your personal life
Avoid using dictionary words as a whole
Passwords in the Workplace
In the workplace, the importance of a secure password is further amplified because the breach of a corporate network can have consequences that will affect the entire business.
Employees, who are otherwise the biggest assets to a company or business, also become the weakest link in the security chain protecting its data. The reason? Poor password selection and the subsequent compromise to data security. A single password, if compromised, can open the security gates and let intruders in.
Combating Weak Passwords in the Workplace
A good password policy is the weapon of choice when it comes to combating the threat of weak passwords.
A password policy is a set of guidelines that help users set up strong and secure passwords. When a password policy is enforced, a user is not allowed to create a password that does not abide by these guidelines.
Some essential features of a password policy are:
1) Password Length & Complexity Requirement
The password policy ensures that every password created is of a minimum length (for example, at least 6 characters long) and needs to use a variety of character types (uppercase letters, lowercase letters, numbers, special characters).
2) Minimum & Maximum Password Age
This part of the password policy decides how often a password is to be changed. Ideally, a good password policy ensures the expiry of a password once in 3 months, so the user is forced to create a new password. However, if a policy prompts the user to change their password too often, they may be tempted to write it down or store it elsewhere. This, again, will compromise security.
3) Password History
When a user is prompted to change a password, he/she may tend to reuse a password they had earlier used for the same application. By enforcing a good password policy, users will not be allowed to reuse an old password at least for another 5 times.
4) Number of Failed Attempts
A password policy also establishes the maximum number of invalid attempts allowed before an account will be locked out temporarily. Once locked, the account may need administrator support to be unlocked and made accessible again.
Beyond Password Security
For companies and businesses that use highly-sensitive data, it may be required to go one step beyond just a good password policy that enforces strong passwords. In such cases, a two-factor or multi-factor authentication functionality may be enforced, where additional layers of security are integrated into the sign-in process.
With such a functionality, users will be required to re-validate their identity using one or more of the following:
A one-time password or PIN
A thumbprint or retina scan
A Yubikey, smart card, USB token, or magnetic strip card
Are your users’ weak passwords keeping you up at night? Speak to us to see how Akku can help with Password Policy Enforcement and Multi-factor Authentication.
