Scorpion Software Blog

So what do monkeys, dragons and ninjas have in common? They are all part of the list of the top 25 passwords used in 2012. That’s right… in 2012! Pretty scary if you think about it.

While we can believe things are getting better, the reality is that common English words continue to be some of the worst passwords being used today. If you consider the infographic below, you will find that 14 of them are common words. The rest are common patterns.

So how can we fix this? For starters, create stronger passwords. We can’t continue to use such weak passwords to begin with. I know what you are thinking… the more complex you make it, the harder it is to remember. Fair point. So start using a password manager. Pick something that is easy to use, easy to access from almost anywhere and easy to backup. Make sure it is secure. Not by a simple PIN or password. Use stronger credentials when possible.

When you can, don’t use a password at all. Many services now support two-factor authentication. Use it. Strong authentication is always a better choice, and actually makes it EASIER for users since they don’t have to remember another password. And when possible, use single sign-on. Make it possible so staff don’t have to enter any sort of credential to begin with. Once they have validated their identity (hopefully with a strong auth cred), let them access the resources there are entitled to access… both on-premise and in the cloud.

Sound to good to be true? If so, consider the fact that AuthAnvil Password Solutions does all this for you. Password Management. Two Factor Authentication. Single Sign On. All in one box. If you want to talk about it, let’s chat.

BTW, if you would like a higher quality copy of the infographic to print and show inside your organization you can download it here. Enjoy.

Hurricane Sandy, which could become the largest storm ever to hit the United States, is set to bring much of the East Coast to a virtual standstill in the next few days. About 50 million people are in the path of the massive storm, which has already killed 66 people in the Caribbean and is expected to hit the U.S. Eastern Seaboard tomorrow morning.

In such severe weather conditions, our first thoughts have to be of family and friends. Their safety has to be paramount. Cities like New York are acknowledging that and have decided to shut down the transit systems and schools today and have ordered residents of low-lying areas to evacuate before a storm surge that may reach as high 11 feet.

Interestingly enough though, many federal agencies in Washington will continue to get work done during the storm. Why? It’s because many departments have a strong teleworking program that will allow staff to work from home safely.

If you work with businesses in the affected areas, can they say the same thing? In the midst of severe weather conditions can your business, and that of your clients, weather the storm… so to speak? Teleworking should be a part of any business contingency plan where information workers can and should continue to work away from the office in the midst of conditions like storms, sickness and work/life balance events.

To help you consider teleworking, check out the following episode of Five by 5 where I discussed this very thing.

As you can see, a teleworking plan can help address the direst of events while allowing your staff and clients to stay safe. After this storm passes, consider having this discussion with the business leaders in your circle of influence if you haven’t already. You can weigh the business interruption and financial loss against the safety of their staff and opportunity to keep working from home. Could they have continued to run the business away from the office like the many in Washington are? A combination of on-premise solutions like Remote Web Access, Citrix or VDI along with cloud services like Office 365 or Google Apps can help extend your business presence to their home computers. And of course, all of this can be secured with AuthAnvil Password Solutions, giving you the confidence that it is your staff remotely connecting in, and not someone else taking advantage of the situation.

To all our friends on the Eastern seaboard, stay safe. Our thoughts are with you. For the next week, all cases opened from clients on the Eastern seaboard will get escalated support to assist you in the midst of the storm. If you need us, we are here to help you and your staff.

One of the more interesting comments I have received lately surrounds around the belief that cybercrime isn’t something that affects small business. I would argue that this is not the case. It’s no laughing matter. Or, well… maybe it is.

Check out the video below to see what I mean.

Cybercrime can happen in any business. According to the National Cyber Security Alliance research that was conducted in collaboration with Symantec two thirds (66%) say their business is dependent on the Internet for its day-to-day operations. The research also indicates that these businesses have vital information to protect, including:

• 69% handle sensitive information, including customer data
• 49% have financial records and reports
• 23% have their own intellectual property
• 18% handle intellectual property belonging to others outside of the company

In light of my previous discussions about how you cannot trust LinkedIn and how you should not become another "Billy, Betty or Boob", you need to stay vigilant. You have a lot at stake!

Stay safe. If you need any help, make sure you reach out to our professional services team. We are here to help. Let's talk.

I am a fan of LinkedIn. I think it is a great way to interact with business colleagues and peers. But to me, LinkedIn is not a system of trust. It is a system on convenience. One of the most powerful features LinkedIn touts is the ability to associate with other peers in your circle of influence, create and receive recommendations, and more recently be endorsed for skills & expertise.

LinkedIn is becoming a platform of professionals. You can easily look up the profile of someone and learn where they work, and in what capacity. Many sales teams use it to learn more about a prospect, and C level executives like myself use it to understand the reporting structure when we are contacted for business development opportunities.

Here’s the thing though. You can’t trust LinkedIn. That’s right. You simply cannot trust it. And let me tell you why.

The open platform makes it easy for you to create an account, and associate yourself to the company you work for. The problem is ANYONE can do this with ANY company. LinkedIn turns from being a platform of professional association to a social engineering attack platform.

Here’s how.

At Scorpion Software we are going through this right now. We are dealing with a security incident in which a “professional” (and I put that in quotes on purpose as foul language is not appropriate here) has associated himself with our company, representing himself as the “Regional sales coordinator” at Scorpion Software. Problem is he’s not. Worse yet is we don’t know this person, and have no association with him whatsoever.

We contacted LinkedIn about this several weeks ago in an effort to have him removed, because we CAN’T remove him from our company ourselves. He has been able to walk around Vancouver representing himself as a member of our team, when he simply isn’t. Worse yet, he could easily subscribe to the LinkedIn groups we are part of and start posting as a representative of the company. This could put our business reputation on the line if he was to make false statements or otherwise misrepresent the company.

Here is where it gets even more interesting. This got me thinking. An adversary of ANY company could create an account on LinkedIn and then “associate” himself with a target through the same platform. He could phone you up and use this as a social engineering bridge to get inherited trust because of your belief that LinkedIn shows he can be trusted. After all, he is associated with the company you trust on LinkedIn. He must be OK. Right? How much further would it need to go before there is an information disclosure breach or worse, because of that implicit trust? How hard would it be to create a fake persona of work history, demonstrating an identity that is pure fiction? Not hard at all.

LinkedIn as an identity proof is a failure. You cannot simply trust what someone has on their profile. You have to look at the associations, recommendations and links. You will notice as an example that the person pretending to be with our company has NO ASSOCIATIONS with our company.

I will make you this promise. If someone shows as an employee (or alumni) of Scorpion Software, they will have a first level association with me (Dana Epp). If they don’t, you should consider them suspect.

Since the original incident report, LinkedIn has indeed removed him from our list of employees. However, if you view our company page when not logged on, you will still see him listed as a new employee. Apparently LinkedIn still has some work to do on how they triage and deal with security incidents of identity misrepresentation.

So don’t trust LinkedIn blindly. Be careful. Looks closely at the associations. Verify the person before you trust it. Use the cool tools built into LinkedIn to strengthen the reputation score of someone you are not sure of. As the National Cyber Security Awareness campaign is trying to teach you… STOP. THINK. CONNECT. I’ll add another piece to that and say TRUST… BUT VERIFY.

And if you are EVER unsure about staff at our company, email me directly at dana@scorpionsoft.com or follow me on Twitter at @danaepp and send me a private message. I will vouch for anyone on my team that you may have business dealings with.

When it comes to cybersecurity, the worst thing you can do is run out and try to buy your way out of worrying about it. As we hear time and time again, security is a process… NOT a product. Applying any sort of technical safeguard BEFORE you know the risks you are susceptible to is just plain silly.

Besides, security is more than firewalls and antivirus. It is about risk mitigation, NOT risk avoidance. And every business out there will have a different tolerance for risk. The best way to tackle cybersecurity is through a strategic approach which includes plans to secure existing systems and keep your business going forward.

Now, this is a perfect opportunity for IT Service Providers to engage in professional services with your clients. You can help evaluate your client’s current cybersecurity posture and create a plan on how best to handle it, producing the appropriate guidance to help reduce risk to an acceptable level for them. And, it helps you to produce a deployment schedule where you can offer guidance on how to best do that, and help to gain business alignment on the deployment of technical safeguards in the future as appropriate.

To help you along the US Federal Communications Commission created the Small Biz Cyber Planner that can help you do just that. You can find it at www.fcc.gov/cyberplanner. Use this tool to create and save a custom cyber security plan for your client, choosing from a menu of expert advice to address your client’s specific business needs and concerns.

As you create the cybersecurity plan and tailor it for your customer, make sure you focus on three key areas:

• Prevention: Solutions, policies and procedures need to be identified to reduce the risk of attacks.
• Resolution: In the event of a computer security breach, plans and procedures need to be in place to determine the resources that will be used to remedy a threat.
• Restitution: Companies need to be prepared to address the repercussions of a security threat with their employees and customers to ensure that any loss of trust or business is minimal and short-lived.

While you are generating the template for this plan at the FCC, make sure you also download their Cybersecurity Tip Sheet. It provides ten simple cybersecurity tips for small businesses. Just remember the most important part of Tip #10.

“Consider implementing multifactor authentication that requires additional information beyond a password to gain entry.”

If you would like more information on why that is important, let’s talk. We can show you how AuthAnvil Two Factor Auth can do just that.

October is National Cyber Security Awareness Month. It is held to encourage people to do their part to make their online lives safe and secure. While it is easy to defer online risk as a consumer problem, it really is just as much a problem at work… if not more. Cybersecurity begins with STOP. THINK. CONNECT. These three simple acts are the starting point for staying safer and more secure online.

• STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
• THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your online actions could impact your safety or your family’s.
• CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.

While it would seem simple, it’s hard to believe in this day and age this simple thinking isn’t observed in the workplace.

To help educate your end users, consider sharing this post with them, and have them watch the video below, where they can learn what NOT to do. You may find some of your older users will get a kick out of the format. (And they may be able to relate)

Of course, there is a huge amount of other content you can check out at www.staysafeonline.org.

One of the reasons we can deliver the enterprise-class capabilities in AuthAnvil Password Solutions to small business IT Professionals is through our constant refinement in our processes and technology. We leverage technology to optimize how we work with our clients and to keep our costs down so we can pass those savings onto you, our customers.

One great example is the AuthAnvil Licensing Manager (ALM). This is a piece of software that is installed inside the server components that randomly checks in throughout the month and reports to us how many seats of any one product is in use. We average those checkins throughout each month, and then charge you for what you have actually used at the beginning of the next month. This way, if you purchased 50 tokens but only assign 10 of them to staff, we would only bill you for those 10 seats for that month. It is one of the reasons you will find we are so much less expensive than many of our competitors; we use a utility-based billing system that charges you AFTER you have consumed the service. This way you don’t have huge upfront fees, and only pay for what you use. Better to pay $50 for last month’s usage than $3,000 in advance for something you may not fully use!

You can read more about our subscription billing model here.

Now, today I saw a tweet from a customer that was not happy with how this system works.  While I am not privy yet to the actual conversations Andrew has had with some of my team, it appears he feels we are hiding behind technology in how we processed his account usage. I am guessing this stems from the fact he doesn’t understand how the ALM has worked for him up to this point, which is really too bad. While it has been public for years, it’s understandable that our customers don’t think about it because it works so well. Well, at least for most people.

In any case, it doesn’t matter. We strive to make sure our customers are absolutely delighted with our solutions and services, and it’s clear we have failed to deliver to Andrew’s expectations. While I have already tweeted to Andrew that I would be happy to personally connect with him to help him uninstall any software that is still checking in that he doesn’t want to, I wanted to make sure that going forward this process is better documented for all our customers. So I have asked my Customer Service Manager to write specific documentation on how best to uninstall AuthAnvil Password Solutions so customers can know EXACTLY how to stop the ALM from checking in with us. 

You can now find that documentation here.

Andrew, I want to personally apologize that we haven’t been able to meet your expectations today. I do hope though that you now understand how our software and billing works, and have the information you need to ensure going forward that any servers you have AuthAnvil on that are still checking in get turned off. Of course, my offer on Twitter still stands. I would be happy to work with you to do this if you need any help.