Scorpion Software Blog

Dealing with a reported possible breach of an employee’s account requires specific action to be performed by the employee and IT department. The breach can often create many problems because it has the potential of exposing confidential data that likely needs to be protected at all times.

What Happened?

The first determination to be made is exactly what happened. By understanding how the account was compromised, the Help Desk can quickly get to work on rectifying the problem. Many times, an account was compromised through a cyber attack, where hackers gain unauthorized access into the account and steal the data. It is imperative to understand if the possibility exists that the hacker obtained the information through social engineering (trickery), brute force (using guessing or computer software programs), or a vulnerability in the company infrastructure.

What Accounts Are Affected?

If the company has strict password guidelines and protocols firmly in place and fully enforced, then more than likely only one account has been affected. If the employee used the identical password on multiple accounts, it is highly likely that the other accounts will be compromised, if that has not already happened. While it is important to immediately change all the affected account passwords there are other steps that must be initiated to minimize the damage from this breach, and prevent any future breach.

Taking the Appropriate Steps

There are specific and appropriate steps that must be taken to ensure the damage to the affected accounts is minimized. The steps include:

Step #1. Change All Passwords

An immediate change should be made on all passwords held by that specific user on every account they maintain. Limiting access to the company server will minimize any damage from this moment forward.

Step #2. Scan for Malware

It is imperative to instantly perform a virus scan to seek out any malicious malware or embedded viruses that may have been opened on the company server. This includes a full scan on both online and off-line hard drives, along with portable devices including USB sticks and external hard drives.

Step #3. Review Password Policies

Once the damage has been identified, minimized and controlled, it is important to review all password policies and protocol. An effective policy should be implemented that ensures that all generated passwords include both lowercase and uppercase characters along with letters, numbers, symbols and special characters. Password lengths should be pre-determined to be no less than nine characters long. The policy should also include an automatic change every 90 days, with the inability to reuse historical passwords again. The system should also be set to prevent the use of personal names, or other identifying data, sequential numbers or easy-to-guess words or phrases.

Step #4. Retrain Employees on Social Engineering

Anytime a potential breach exists, it is important to retrain all employees on the damaging effects of social engineering. Every member of the workforce should be instructed on how to handle all types of social engineering including effective emails. Writing, speaking or posting passwords openly should be strictly prohibited, along with storing them in text files on the Internet, or the company intranet.

The IT department should also train every employee on brute force attacks from hackers and cyber-thieves. The training should include how hackers work to steal confidential company data through unauthorized access into the organization’s servers.

Step #5. Incorporate Two-Factor Authentication

A simple way to develop a higher level of protection to avoid the potential for security breaches is to incorporate two-factor authentication. The additional layer of security can be provided through biometric means (a fingerprint or iris scan), USB tokens, token-less software authentication, smart cards, audio port tokens, magnetic stripe cards, virtual tokens and others.

A second layer of authentication works over and above the standard username/password combination. Two-factor authentication is based on two or more specific factors that include knowledge, possession and/or inference. Knowledge is based on something the user automatically knows (their username and password), something they possess (a token, or answer to a specific secret question), and something they are (a fingerprint scan).

There are specific basic actions that the IT department and Help Desk can perform to ensure potential security breaches are minimized in the organization. Higher levels of security can be created by building a system that will require the user to use a two-factor authentication system every time sensitive resources are accessed. The company protocols on passwords should also include the necessity to use a different password for each specific account, especially those at the administration level.

By incorporating two-factor authentication methods into the authorized user protocol, the IT department can ensure that the company data remains secure and confidential. It is up to the management of the IT department to develop and enforce strong procedures. This will ensure that every employee understands the same guidelines when creating and maintaining the safeguards at protecting company information.

Remember: just as loose lips will sink ships: poor policies, collapse companies.

If you want to learn more about how devastating cyber-crime can be, download our free 10-page eBook on Cyber-crime and Small Business.

The Help Desk in every organization and enterprise continually works on implementing the best practices to maintain the security and confidentiality of the company’s data. This includes maintaining passwords as the initial line of defense to safeguard against cyber-attackers.

Without a doubt, one of the most common in-house requests made to the Help Desk is to reset a password. With proper procedures firmly in place and fully enforced, organizations can provide a higher level of security in safeguarding the company server and all confidential information.

Automated (Self-Service) Resets

With nearly ¼ of all calls into the Help Desk being related to password resets, many enterprises choose to offer self-service management to their employees. This helps minimize the demands on the Help Desk that are often overburdened resolving other critical IT issues. However, this often requires a password management tool that will provide the opportunity for end-users to automatically reset forgotten passwords.

By incorporating a personal question that needs to be answered correctly before the reset is allowed, IT departments can greatly reduce the demand of Help Desk requests. Providing the opportunity for an employee to automatically reset their forgotten password also helps to increase worker productivity because the worker can quickly gain access into the server and resume performing their job.

Strict Access Regulations

Incorporating strict access protocols for password resets can create a stronger security level when maintaining the confidentiality of crucial company data. Many companies develop strict procedures will automatically expire a password after a pre-determined amount of time (typically 60 to 90 days). Resetting an old password with the new one requires a credential-verified authorization to identify the account owner. The process includes:

• Proof of Identity – The identity of the account user will need to be verified before any new password can be generated. The proof of identity will usually be obtained through the previous password, but sometimes a second level of security is used, which could simply be the answer to a secret question, access through a USB token, or a Smart Card.
• Access Regulations – Only a minimal amount of individuals on the Help Desk staff and upper levels of IT management should have the ability to reset passwords for company infrastructure. In addition, any infrastructure password reset should be automatically reviewed to ensure the highest standards have been maintained throughout the entire process. 

Strict Reset Requirements

 The Help Desk should provide strict guidelines when developing a new password on a reset. These guidelines should include the following:

• Case Sensitivity – All new generated passwords will be case-sensitive.
• No Traceable Information – All personnel are strictly prohibited from using traceable information such as detailed data in the personnel file. This would also include the avoidance of a spouse's name, the name of a dependent, Social Security numbers, addresses, the name of their car, pet, or other identifiable data.
• No Dates – No dates can be used in generating new passwords in any format. This includes year dates, months of the year, or days of the week.
• Special Characters and Symbols – Every new generated password must incorporate at least one special character or symbol (i.e. #,@, %,?), along with at least one uppercase and lowercase letter along with at least one number.
• No Sequential Characters – All consecutive or sequential alphanumeric characters will not be allowed (i.e. AAA, bbb, ABC, AbC, 111, 123).

No Password Assist Allowed

Part of the policy that should be incorporated by the IT department should include a strict guideline that forbids personal password assist programs. If the system automatically prompts the user to save any password on the computer, the user must decline the specific opportunity.

Another important aspect in designing strict policies concerning password resets is that only the user can request and obtain a password reset opportunity. Any attempt to obtain a new password reset for another individual should automatically lock the user out of the system with a generated report sent to the supervisor of the employee.

Finding the Right Level of Protection

Every IT department should always follow the strictest guidelines of finding the right level of protection when developing strong security layers. Any password reset performed over the Internet or on the company server should only provide access to a password reset link, instead of sending the physical temporary password.

Creating a secure perimeter often requires more than just one level of safeguarding. By incorporating two-factor authentication into the process, IT departments can minimize many of the problems that involve user/password combinations.

It is imperative that companies, organizations and enterprises develop strict guidelines for employee password resets. Adding an additional layer of two-factor authentication will increase the security level when protecting crucial, confidential data, or access into the system. Whether a company’s IT department elects to incorporate a self-service automatic password reset, or only allows the Help Desk to perform the job, strict guidelines must be implemented and enforced.

It is critical for any enterprise to develop and maintain strict conformity on using passwords in the organization. A well-defined IT security plan will serve as the first barrier of defense when safeguarding critical company data. Many successful IT departments will often rank the security priority of their password policies at the same level as their disaster recovery. It is essential to educate the entire staff on the best practices for developing and maintaining password standards within the organization.

Password Management

Developing a strong password management system is a key component to combating forces that have the ability to compromise the company’s electronic resources. There are two significant forces that can wreak havoc on any company server, or Internet connection. These can be defined as brute force and social engineering. Many brute force attacks use specific methods to obtain valid credentials systematically, by guessing valid user name/password combinations. Social engineering is a method that involves the account holder and/or their information to provide or guess the password. By obtaining valid passwords the hacker can expose or exploit the company’s resources on their intranet.

Enforcement and Compliance

The only way to ensure the password policy remains effective is to fully enforce the protocol once it is initiated. Every member of the staff needs to understand that they must be in full compliance with all stated IT password policies. Part of the compliance process will require the password administrators to remain diligent from a variety of fronts. The staff should know that the department will routinely:

• Perform Password Audits – The IT department should run password audits and notify any employee when their password is ineffective and requires a change.
• Mandate Password Changes – Periodic changes of passwords should be mandated every 60 to 90 days on all components of the server including server-client applications and operating systems.
• Examine Employee Workspaces – The IT department should continually examine workspaces for any noticeable written passwords on monitors, keyboards and other locations surrounding the employee.
• Train Every New Employee – The IT department should continually train existing employees and all new employees of enforced password policies. Retraining should also occur anytime a new policy is implemented.

There are specific ways to effectively handle a password, and ineffective methods that should always be avoided. This usually requires the avoidance of many social engineering tricks including simply giving out passwords when an employee forgets his or hers. Just as a financial institution will not disclose the PIN in person or over the phone, but simply will verify the PIN if it can be remembered, the IT department should follow the same protocol. Properly handled passwords and passphrases should never be:

• Spoken out loud, emailed or written down.
• Shared with any other individual including other employees and management.
• Designed to be easy to guess or hinted.
• Shared when an employee is away from the office.
• Duplicated with other accounts.
• Automatically saved on the computer.
• Typed out and saved in any non-encrypted format, especially text files. 

The Attributes of a Proper Password

Because the IT administrator will already have predetermined the complexity of pass phrases and passwords, it is essential to enforce the policies in place. When fully implemented, the staff will automatically reduce the likelihood of their passwords being compromised.

There are specific attributes when developing a proper password that will work across all applications and operating systems. These specific attributes allow the IT department to help enhance the complexity of the policy concerning passwords in an effort to heighten security. The staff must be made aware that the complexity of these best practices provides better protection for them and the company. They include:

• Frequency of Expiration – The administrator will likely have already set a specific time frame on the validity of the password. Most IT departments that are successful at managing passwords require a change every 90 days. The more familiar every employee becomes at changing their password, the simpler the process will be.
• Password Character Length – Typically, a six character password minimum is required. However, longer passwords are better. Passwords used by the administration should be at least 10 characters or greater.
• The Composition of the Password – Every generated password should be mandated to contain a combination of letters, numbers, symbols and characters in a case-sensitive environment (uppercase and lowercase).
• Invalid Attempts to Log In – The user should be automatically locked out if too many invalid attempts have been made when trying to log in.
• Password History Lockout – The system should automatically disallow any of the past passwords from being reused.

Some of the best practices for the Help Desk to use in protecting the company’s crucial confidential data is to incorporate two-factor authentication methods. These methods require a user to provide something they know, such as a PIN, plus something they have, like a SoftToken generating a one-time password.

Teaching password policies during a new hire’s on-boarding process will ensure that every member of the team is following the same guidelines and procedures concerning logging into the company intranet.

All employees must be made to understand that passwords are a crucial aspect of the security of the company’s intranet servers. They are the front line of protection against every user’s account. Any poorly chosen or developed password could result in a devastating compromise of the entire network. It is the responsibility of every employee to follow the strict guidelines, procedures and policies of the organization to ensure that all passwords are created properly and fully maintained at all times.

The Purpose of the Policies

All written and enforced policies concerning password generation and maintenance are used to reduce the potential risks to the organization, and the employees. The main purpose of all of the policies is to provide a high level of security and privacy from developing strong password choices and encouraging their secrecy at all times. It is always the immediate responsibility of every employee to keep their private passwords a secret. For example:

No password shall ever be written down, spoken or otherwise given out.

The process of storing of any generated password will be fully detailed by the organization. It is the responsibility of every employee to avoid using any “Remember My Password” feature or application as is offered by Outlook, Internet Explorer, Firefox, Windows and more. It will be the standard operating procedure that passwords will never be stored electronically, cached, transmitted or transferred in any formatted or clear text.

The Scope of the Policies

The policies concerning passwords in the organization are designed with a specific scope in mind. Every password policy will be followed by the entire staff including all associates, employees, supervisors, managers and high level staff.

Unacceptable actions

There will be specific actions concerning accessibility into the company’s intranet that are fully prohibited and unacceptable. Every newly trained employee must be made aware of these unacceptable violations before gaining access to the company data. These violations include:

• Access to any of the company’s facilities, networks, information or equipment without specific authorization.
• Access into the company intranet through another individual’s account. Access to another individual’s information, files, folders or data.
• The distribution or transmission of company data that is unauthorized.
• Sharing of confidential password and pass phrase information to any individual, associate or manager.
• Writing down passwords at any location.
• Any action that might create a potential breach of information.

It is important that every newly hired employee understands that a breach of information can happen easily when weak passwords are designed with common words that are too simple and too short. Along with understanding brute force cyber-attack methods of obtaining information, the training should also include all of the ways for potential possibilities of being hacked through social engineering strategies and methods.

The proper training on effective strategies, procedures and protocols in developing and safeguarding passwords can create a stronger protection against access to electronic company data. Employees should understand the risks involved in creating potential breaches from both inside and outside the office. The more often an employee is required to change their passwords, the easier the process can become. In time, developing and maintaining strong passwords will become second nature, even to a newly hired employee.

Want to learn more? Check out this massive 42-page eBook fresh from the locker room. We'll show you which plays you should be running every day, and which need to be run... right out of town.

A business or personal email account is by far one of the most crucial forms of communication in our lives. Business emails contain confidential contact information including the names and addresses of associates, employees, vendors and others. Personal email accounts usually contain the contact information of everyone important in our daily life.

You Suspect You Have Been Hacked

More than just containing the contact information of our business or personal lives, email accounts are full of pertinent data and personal information. If you suspect that a hacker has gained access into your email account through a stolen password or other method, they could be stealing or reading through all of your confidential emails.

There is a wide array of phishing and trojan tools that any hacker can use to gain access into an email account. These are computer viruses and spyware that might be received through an email or attachment. Once these hacking programs have been downloaded into the PC, Mac, smart phone or tablet they can easily record confidential passwords to gain access into the account.

The top ten signs that your email has been compromised are:

1. Signs that emails have been deleted that were never deleted by you.
2. Signs that emails have been sent to business or personal contacts that were not sent by you.
3. Signs that an email has been previously read that was unopened by you.
4. Your email Inbox is filled with rejection notices from MAILER-DAEMON for many messages you know you did not send.
5. One or more outgoing messages located in the Outbox, Drafts or Sent folders that were neither sent or created by you.
6. Contacts located in the address book that have been modified or erased.
7. A link now appears in your email signature that was not put there by you.
8. You are not receiving new mail, or any new mail is being redirected to another folder.
9. You find that you are continually “bumped” out of the account every time you attempt to sign in.
10. Confidential information (secrets) that others know about that were only contained in private emails.

Cyber Attacks Are Common

Being the victim of a cyber-attack is commonplace. It is quite simple for a hacker to steal another individual’s password from inside or outside means. A hacker can use a key logger that will literally track every keystroke you make on your keyboard. By recording every keystroke, the hacker will eventually be able to recognize passwords and user combinations anytime you login to your personal or business email account. Key logging can be performed in a completely stealth environment with the recorded information covertly being sent to the hacker through an email.

If you recognize any of the above signs, it is highly likely that a hacker has intruded in your private personal or business life and can read all of your emails. While changing the password immediately can slow them down and prevent them from gaining access back into the account, this is only a temporary fix. To solve the problem, you need to identify the cause of the breech, and seal it. 

Big events can sometimes be targeted due to large attendance and unaware attendees. Don't let your data run away. Check out our eBook on keeping secure at major events.

Many events entice their participants and audiences with Wi-Fi services that tend to be slow, faulty, intermittent, or nonexistent. Even worse, with a huge amount of participants all connecting to the same Wi-Fi, it is extremely easy to get spoofed, hacked or cyber-attacked, even when taking the necessary precautions. In today’s global electronic age, connecting to an Event Wi-Fi is simply a bad idea.

There is a huge list of complaints from individuals that have tapped into Event Wi-Fi technology only to find out that their mobile phones and laptops were hacked while attending the event. Some indicate that their bank account information had been obtained while connected to the Event Wi-Fi, and unauthorized purchases made online.

Many individuals find that tapping into public Wi-Fi hotspots can often be a lifesaver, especially when someone needs instant electronic communication. However, when the security is breached, their world can quickly turn into a nightmare.

The problem is usually a result of the default security firewalls and settings on a tablet, notebook or smart phone. They might simply not be strong enough to avoid being hacked from prying eyes eager to swipe the information.

Hotels Use the Same Technology

The problem does not just reside in Wi-Fi technology used in events. Hotels use the same technology and provide just as large an opportunity for their customers to be hacked. Often times, identity thieves are far more interested in the information that is being transferred across the hotel Wi-Fi connections than the money the individual deposits in the hotel safe.

Recent reports indicate that consumer credit cards have a higher percentage of being hacked at an event or a hotel through public Wi-Fi connections, than in any other location. Nearly four out of every ten hacking incidents around the world occur as a result of a connection at an event or in a hotel. Just as bad, surveys have indicated that nearly one in five hotels have experienced malicious activity over their network systems.

While it does take a level of security to enter into the network system, once connected, other network users can gain access to shared files on every computer, laptop, mobile phone or tablet. Most Event Wi-Fi connections and hotel networks do not provide the prevention of one guest connecting to another guest’s logon.

An Ideal Location

For a cyber-thief or hacker, an unsecured wireless network seems to be the ideal location to perform a variety of crimes. With the instant accessibility to dozens or hundreds of different tablets, notebooks, mobile phones and laptops, hackers enjoy the ability to exploit the Wi-Fi network to perform their online muggings. They can easily gain access to an individual’s financial bank account, credit card accounts, and other personal, confidential information.

Safeguards and Protection

There are effective solutions for hiding from cyber-attackers and hackers, as a way to avoid the theft of personal and confidential information. These effective solutions provide protection, and even a way to stay connected on an open Wi-Fi without being detected. There are specific things that every online users should watch out for that include:

• Watch for Fakes – Many hackers will often set up in “Evil Twin” connection site that appears to be identical to the Event Wi-Fi. Once connected, an individual can have their accounts hacked and confidential information stolen.
• Wi-Fi Protected Access – A Wi-Fi Protected Access (WPA) network typically requires the input of the password to gain access as an authorized user. While it can prevent eavesdropping from individuals outside of the network, it does not stop any other connecting guest that has a connection to the same network from stealing any confidential information from a laptop, mobile phone, tablet or notebook.
• Never Alone – Every public Wi-Fi network is, in fact, public. It is imperative to turn off any access to file sharing and make sure that the mobile device’s firewall is turned on. It is important to never send any confidential information including financial records, credit card numbers, passwords or Social Security numbers across the public Internet Event Wi-Fi connection.
• Watch What Is Sent – Most free Wi-Fi hotspots are not secure, even if the user believes they are. It is important to find a different hotspot that is secured, or use of virtual private network (VPN) to provide a secured environment when online. 
• Stay Secured with a VPN – By connecting through a VPN (virtual private network), any information or data that is transmitted over the most public Wi-Fi connection will remain invisible to everyone including cyber-thieves and hackers.

Unless the online user is connected through an Event Wi-Fi or hotel network using a virtual private network (VPN) they should avoid any type of online banking or the transfer of any confidential information. VPNs can significantly minimize or eliminate the risks of being connected through even the most corrupt Event Wi-Fi or hotel network system.

Wi-Fi isn’t the only peril at events. Learn how to keep secure at major events like Kaseya Connect 2013 in this free eBook.