Two Factor Authentication (TFA) – Beyond Passwords
We all know that good passwords are complicated, should be different for every use and change frequently. We also know how hard that is to implement, enforce and track. So what do we do about this? Two factor authentication (TFA), which combines your username and password with something you have (tokens) and something you are (biometrics) comes to the rescue. One time passwords (OTP), which can be implemented as two factor authentication, are a very good, low-cost option that might be part of your existing firewall already in place. Let’s take a closer look.
Something You Have (Tokens)
The most common type of two-factor authentication combines your username and password with a “token” device that provides a six- or eight-digit alpha or alphanumeric code to provide you access. These codes change frequently (typically every minute), making them quite secure. You may already use these to access banking or brokerage account(s), both very common use scenarios. Adding token-based TFA to protect remote access is relatively easy and cheap to do and is very secure. The tokens are reliable but you have to remember to have them with you!
Something You Are (Biometrics)
Biometrics technology has migrated from the movies, to everyday use over the past decade. Biometrics examples include fingerprint sensors (laptops and Smartphones usually), retinal scanners (most often used to protect physical access to controlled areas) and facial recognition (Smartphones again). Biometric technology tends to be harder and more expensive to implement, and false negatives are still a bit of a problem. Costs to implement can also be higher than token-based two factor authentication, but you cannot forget to carry your finger with you!
On the Cheap – One Time Passwords
One Time Passwords (OTP) also known as Smartphone two factor authentication is very simple and straightforward. You try to access your network remotely and in addition to your username/password combination you are immediately sent (by email or text) a single-use password that you must add to your standard credentials in order to gain access. OTPs are most commonly used to protect remote connections, but do have other uses as well. The best news of all is that OTP is built into the best new Firewalls and can be implemented in less than an hour!
But Really . . . Why Do I Need It?
So now that you understand your options, you may still wonder . . . why do I need two-factor authentication? Let’s review three things. First, passwords are very hard to make secure, keep secure and manage. Second, your employees will almost always find a way around your security policies, including the sharing of passwords, using overly simple passwords, or simply by writing passwords on notes attached to their monitors. With two factor authentication you add that extra layer of security, so that even with a username/password, without that second factor (token or biometrics) you are not getting in.
Finally, take a moment to consider the following scenario. You have to lay off someone one day, someone pretty computer savvy. They leave and you shut down their user account, but they know how things work there and they know other user passwords. If you are not using two-factor authentication for that user,you have to change EVERY password in the company to lock that person out. Two factor authentication not only adds a layer of protection to your network for your staff, it provides you the control you need to quickly and effectively lock things down if that staff changes.
Let’s talk about password security. There are truly bad passwords, like your username, or “password.” There are better passwords, like “Mike04!” for example. And there really good passwords like #94hwer0n, but they often end up taped to your monitor or under the keyboard. Not so good. So how should we handle password security in our world of hackers and hundreds of passwords? There are three elements of better passwords; complexity, length and randomness. And there is a “fourth dimension” as well, that of time. No matter how good that password is, you do need to change it over time.
Complexity refers to how hard it would be to guess your password. It is generally accepted that “real” or dictionary words are easier to guess than those that do not appear in a dictionary (or listing of proper names). Passwords of greater complexity also involve the use of punctuation marks, symbols and numbers, that is, any character that is not alphabetic. Finally, password complexity also increases with password length, which we’ll address next.
This is pretty simple, and the longer the password the better, with some caveats. You should always aim for passwords of at least seven characters and as many as 15 here. (There will be more on longer “passphrases” later). Very short passwords are obviously easier to guess and truly long passwords take you past the point of diminishing returns, as complex 15-character passwords are still quite difficult to attack by the common brute force or guessing methods today.
The third aspect of passwords is their “randomness” or uniqueness. Patterns, proper nouns, or evenpasswords generated by overly simple algorithms (such as your birth date and the name of your pet) are becoming too easy to guess. Much better for password security are passwords that are based on words that do not appear in the dictionary, interspersed with punctuation and numbers. And even better are long, truly random passwords generated by software that nobody can remember.
Three Tricks for Good Password Security
Three easy ways to create strong, memorable passwords involve character replacement, mnemonics or random generation. Character replacement is as simple as toggling Caps Lock while you type your password, or maybe just for the last or first three characters. Using mnemonics involves creating a phrase, and then using the first letter of each word to create a password. Of course, the most secure passwords are truly random ones created by and managed by password software.
The Best Compromise(s)
You need to determine how secure any given password must be. The one that you use to login to Facebook probably doesn’t need to be as secure as the one you use for your brokerage account. So do a bit of triage and then come up with simple, complex and fiendish passwords as needed.
– For simple needs, a mix of numbers, letters, and punctuation will suffice.
– For more secure needs, a long nonsense passphrase w/some substation might work.
– At the high end, use good random password/phrase generator and management software.
Want a fun test? Try the password difficulty calculator at https://howsecureismypassword.net/. It will give you a quick idea of how strong your password security is.
Of course, there is still quite a bit to wrestle with here on password security, but if this were actually easy, you wouldn’t need to read about it here. So maybe you’re asking yourself if there is a better way, something stronger but simpler than passwords. Stay tuned for our next topic – multi factor authentication.
For network security, we are going to assume you’ve got a modern unified threat management (UTM) firewall doing deep packet inspection, assume you’ve got signature-based antivirus running on your servers, desktops and laptops, and assume you’ve got a comprehensive, managed patching system in place that covers both Microsoft and third-party patches for servers, desktops and laptops. You might even be going that extra mile and training your users!
But there is so much more to truly securing your network, your systems and your data. Network Security is neither a product, nor a service, but an ongoing process. And remember, without proper and regular user training the most secure network is like a submarine with a screen door. Say it after me: security is products, services and procedures. This is the first article in a series; we’ll drilldown on each of these “twelve steps” to network security in the weeks following:
[caption id="attachment_2066" align="alignright" width="300"] Network Security – Are you taking it seriously?[/caption]
1) Better Passwords. This may seem “done to death” but the reality is that most passwords are still too simple to guess or crack w/software tools, are used too broadly across devices or sites and are changed far too infrequently. Every year the list of top ten passwords still include such gems as “password” and “12345” so this is a pretty low bar to clear. Getting serious about passwords is the quickest step you can take to improving security.
2) Two Factor Authentication (TFA). This is the next step beyond passwords. TFA is usually described as something you know plus something you are (biometrics) or something you know plus something you have (token based). These solutions can be as simple as issuing “one-time passwords” by text or email upon every remote connection. Many UTM Firewalls and/or SSL VPN remote access devices have these capabilities built in.
3) UTM Firewalls – The Simple Stuff. Very few businesses get the most out of their UTM firewalls. For example, many UTMs can do “geo IP filtering” allowing you to block packets originating from any country. Do you really need traffic from Belarus or Moldova? You can also filter your traffic at “Layer 7” on some, so you can block such potentially harmful and
bandwidth wasting traffic as chat streams, software downloads and more.
4) UTM Firewalls – The Harder Stuff. Firewalls do not scan encrypted traffic by default. This means every connection to Dropbox, OneDrive, or any other SSL site bypasses scanning! The answer is DPI SSL, a feature of better UTM firewalls. Separately, you can protect your road warriors on “open” wireless connections by tunneling traffic from your remote users through your Internet connection. This is also provided by better UTMs.
5) Advanced Wireless. You can manage wireless access points and add a layer of security to your wireless implementations. You can force encryption of the entire data stream, scan for “rogue” access points or even shut them down completely. You can setup “wireless guest services” that control who can connect and when. You can have multiple “virtual SSIDs” so that some users get out to the Internet only, while some have network access, and more.
6) Network Access Control and Proximity. Let’s touch on managing access to your network internally. Yes, you’ve got credential authentication (username and password) protection in place. Did you know that you have built-in MAC address filtering in the DHCP Manager of Windows 2012/R2? And you HIPAA folks, did you know you can set a machine to automatically log out a user that moves away from their machine (think RFID)?
7) Outsourced Email Filtering. Everybody knows spam is more than an annoyance – it is a prominent source of phishing and other “social engineering” attacks. So email filtering is a must; and by moving it to the right external vendor you gain the advantage of being able to lock your email server down to just one range of receiving addresses, better management of
your bandwidth and an email spooling location should your email server be offline.
8) Clean DNS & Web Filtering. Just by using one of the “clean DNS” sites around the web as your primary and secondary external DNS references you can protect yourself against an ever-growing list of sites that can attack you simply by visiting the site – the “click-by” attack. Web filtering is usually done in the firewall, but did you know you can also extend that to devices not behind the firewall, such as laptops in the field with the right softaware?
9) Data Encryption At Rest. This refers to encrypting your data in place, on your server, your desktops and laptops, on your phones and your backups. This can be done at the
hardware level on the server (right in the RAID controller and on the drives), at the OS level for your desktops, laptops and portables, and in software for tape or disc backups. This protects you both against physical site thefts and loss of data on portable devices.
10) Data Encryption In Motion. This refers to data that moves outside the perimeter of your building(s), on laptops, tablets and phones. We are also talking about the “streaming” of data over the Internet that you experience whenever someone connects remotely, when you upload data to other locations and when your automated off-site backup (you do have that,right?) happens. For the most secure sites, this includes all wireless (WiFi) traffic as well.
11) Data Security at Rest. This refers to your ability to backup and keep safe your site’s live data, and its configuration data (server configuration, user and site setup, device config and more. Nearly everyone believes they have backup handled, but the reality is very few do. Having effective backup is complicated and few businesses understand that real backup is about data, server imaging, off-site storage, business continuity, disaster recovery and more.
12) Data Security In Motion. This refers to data that travels with you, data that gets created outside your network and data moving in and out of your network through that leaky mechanism known as the Internet. Scanning encrypted data is tough and cumbersome for most UTM Firewalls, but absolutely necessary. And finding a way to enforce scans on machines that move outside the network is crucial as well.
Summing it All Up
Obviously, securing your business is complicated. There is always a trade-off between ease of
use and time, effort and expense. There are no secure networks any more than there are safe drivers. But there are certainly more secure networks. It all comes down to figuring out how far you want to take your network security efforts and building the right products and procedures around that decision. Call for Net Sciences and let us guide you through the network security maze, making the right and most cost effective decisions to protect your network, your data, and your business!
Network Backup – What are the three most important things I need to do?
To be truly effective at network backup, you must cover all three “vectors”. These three areas are first, Classic Data Backup (documents, email, databases, etc.), second, Imaging or Snapshots of physical or virtual machines, and finally, an Off-Site component in order to get you started on the road to business continuity and disaster recovery.
Classic Data Backup
This is the “classic” backup that many of you actually are performing today for your network backups. Whether you have automated backups to tape through software like Backup Exec, a Windows Backup job to USB drive, something running to an off-site location or perhaps even a combination of the above, you are probably backing up at least some of your data. Are your backups “granular” enough to restore just one email message? Can you roll back to earlier versions of your files? Do you have ability to backup data from one server to the tape or hard drive(s) connected to your primary server? Do you have the time (backup windows) to get it all done? Even the simple stuff can be complex.
Imaging or Snapshots
So now let’s talk about getting backups of the actual installation and configuration of your network. That means your Windows Servers and Active Directory, Exchange, SQL, and other servers. This includes the configuration of your network (users, groups, shares, permissions), and other site specific details that make your network yours. There are many further details to consider as well. Do you have frequent enough image backups? Where are these backups located; if they are only on the drive of the server backed up, what happens if it is gone? And will they restore to “dissimilar” hardware, so that they will work on the new server you will need to buy after that fire?
Let’s assume you have a complete data backup and configuration or imaging solution in place and that you can count on it when you need. So what happens when the entire server and its connected USB backup drive has been stolen? Or if the building has been soaked by the sprinkler system that put out the server room fire? It all comes down to off-site data, be it on tapes, drives or that Internet based remote backup you do. Tapes are easy in this sense, as they can simply be transported on a regular schedule off-site. Disc and other strategies generally require you to replicate data off-site to another site or to an Internet based service.
Of course, you have to have some sort of device as a backup “target” to start. Tape is still a good option for small business, despite what you may have heard. Tape is faster than most disc-based options (up to 250G/hour) and cheaper ($50/Terabyte) than most other options.
Being removable and tough, tapes are easier to transport off-site as well. Backing up to disc does offer some nice advantages. Hard drives are cheaper than tape drives, though NAS (network attached storage) can be pricey. Disc backup is easier and faster to use once you actually have to perform that critical restore. And finally, disc backup provides some features (data deduplication, for example) that tape does not.
Three Needs, One Strategy
There is no one answer to all of these questions, but with a little help, you can stitch together a full solution. Symantec’s Backup Exec SBS Suite includes the ability to execute data backup to disc or tape, including Exchange, SQL, and Sharepoint. Also included in thepackage is the imaging capability to capture the configuration of your network and servers with imaging and recovery to different server hardware.
Complemented with an off-site strategy, this gives you the basic tools you need. But tools alone are not a plan. If you are far enough along to be considering such things as communicating with employees in the case of disaster, or locating a secondary business site,you need a plan for that. Business Continuity and Disaster recovery planning comprises much more than just a backup strategy.
Details and More
Is your data encrypted or password protected on the media you backup to in case of loss or theft? How often do you do your imaging and can you use it to bring up different servers if you lose your existing ones? How about restores; are you testing them? How do you manage your backup media, secure it and make sure it is available when you need it? And how do you monitor all of these backups to make sure they get done?
Over the past few years, newer options such as continuous data protection (CDP) and business disaster recovery (BDR) devices have arrived as well. CDP provides continuous backups of your data right as it changes; no more scheduled backups. BDR devices can virtualize your existing server(s) and keep you going in the event of a loss of one or more of your servers. These BDR devices can reside at your site or be hosted off-site as well.
Planning and executing a truly effective and comprehensive backup strategy is just one of the many services that Net Sciences provides our customers. We can help you make sure that you have all the bases covered and work with you to design and refine your disaster recovery planning. Meet with us and discuss your backup, business continuity and disaster recovery strategy. At Net Sciences, we watch over your data so that you don’t have to.
I speak with business owners all the time that say things like, “but my data isn’t valuable to anyone.” This usually leads me to ask them whether they think that vandals that “key” cars do it because they need the paint. The bottom line is that your network is always under attack, whether it be targeted or simple Internet vandalism. The answer is to implement a “layered” defense scheme at the perimeter, server(s) and desktop. Read More
Securing your home wireless network is easier than ever before. Improving the security of your home or office wireless network is a relatively painless three-step process. You will learn to change the SSID of your wireless device (alter), use MAC address lock down (filter) and enable WPA2 encryption to (protect) your connection. This entire process can be accomplished in 15 minutes. Read More
Now that you have your new computer and you’re ready to go flying the Internet, what should you do first? In order to safely surf the unfriendly Internet, you’ll need to prepare in three ways. You’ll need antivirus/antispyware software that updates itself automatically. You will need a good software firewall. And you will need to be sure that you keep up with the latest Microsoft Updates. And if you are running Windows but not using the latest version (XP SP3, Vista SP2 or Windows 7 SP1), it is time to get that done! Read More
What is the single most important component of your business network? Is it your servers, desktops, laptops or phones? They are all important, and some are costly. But if you stop to think about it, the only truly valuable “item” is your data. Everything else can be replaced and if you are well insured, with no more cost than the downtime and aggravation of putting it all back together. Data is not like that. Data is precious, irreplaceable and as you will see, very hard to control. Read More