Password Tips for Businesses

This year Microsoft made a very public statement about how they’re fundamentally changing how passwords will work in Microsoft Windows 10 moving forward. Most significant is that they’re dropping the password expiration recommendation. This brings their recommended policies closer to what NIST also published on this topic. On one hand, these bring a collective sigh of relief from many end-users who are vexed when they see the dreaded “you must change your password in 14 days”…13 days…11 days… This was previously seen as ‘low hanging fruit’ for any IT consultant to come in and perform a security audit, and point out that they don’t force their users to change their passwords.

There are many reasons for the change in direction for both Microsoft and NIST recently. But the biggest reason I propose is that security threats to passwords have fundamentally changed in recent years, compared to the past. There is a good chance your email account is already known by hackers. But moreover, your password is even known by them. As of today over half-a-billion unique passwords have been compromised. And the ability to hack or compromise a password is far easier then it ever has been.

What the biggest things these shifts by Microsoft and NIST demonstrate are that ‘good enough’ approaches to security simply isn’t. Arbitrarity forcing users to change their passwords doesn’t make them more or less secure. And it has been argued that it often makes it less secure as users work harder to find ways to remember their passwords. Is ‘Th0rsHammer2’ any more secure than ‘Th0rsHammer1’? Likely not, but research consistently shows that is exactly what happens. Let’s step back and understand why we even consider changing passwords frequently. The fundamental reason is that the password becomes exposed, known to bad actors. The theory used to be that it was unlikely, but just in case, if we change passwords frequently it will reduce the impact. Nowadays we know better, it isn’t a question of “if” but when. And the follow-up question is, once your password is compromised, how long do the bad-guys need? Even the halflife of the typical 90-day forced password change is 45-days, more than enough to do damage.

The new model focuses on two elements:

  1. End-user education: Which primarily focuses on identifying threat vectors such as phishing attempts. But also in how to choose a good password, and avoid password reuse.
  2. Detection of compromise: This one is more technologically involved, but it basically required advanced threat detection to identify potentially compromised accounts or servers, and then using that to force a password change.

 

Recommended Action Items for SOHO (Small Office, Home Office)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same.
  2. Ensure that every computer has a password required to log in — no accounts should be password exempt.
  3. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account.
  4. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Authenticator.
  5. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  6. Pay attention to data breaches of large companies. Consider forcing password resets when such event occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

Recommended Action Items for Small Business (10-50 employees)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same. Train on using password managers instead of sticky notes or excel files with password plainly documented.
  2. All systems should be domain-joined with password policies in place, ensuring that all accounts have strong and long passwords. Remove your password reset policy.
  3. Audit your existing use of role accounts, automatic login accounts, shared accounts, etc. Whenever possible eliminate such accounts so there is a one-to-one audit trail back to a specific user. When role or shared accounts are needed, they should generally have far fewer rights than normal users, and policies need to be in place to reset this upon any employee change.
  4. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account. Professional versions permit the ability to share passwords when needed.
  5. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Azure AD MultiFactor Authentication.
  6. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  7. Pay attention to data breaches of large companies. Consider forcing password resets when such events occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

 

Recommended Action Items for Medium Business (51+ employees)

  1. All the items listed for Small Business PLUS:
  2. Ensure all public facing website exposing corporate resources (webmail, website, extranet, client-portals, etc) implement technologies like WAF, Fail2Ban, and more. Those resources should be placed in your DMZ, which is isolated from your local network and use completely different administrative credentials.
  3. Outbound traffic filtering including DLP (Data Loss Prevention), Advanced Threat Protection and Content Filtering.
  4. Consider implementing password auditing tools which compare your network passwords against the known password breaches.

 

The above lists are based purely on the topic of password-related security, and there are many additional security matters in general which need to be professionally assessed by any business. 

 

 

 

Dad needs a new computer?!

One of the banes of most IT Professionals is when family members ask for help with purchasing a computer, or worse yet, they just purchased something from a big-box retailer and need help.

This is a multi-part story inspired by my dad who called me recently for a computer question he had. It made me realize that 13 years ago I helped him purchase the computer he currently has. I couldn’t believe it’s been that long! I’m thankful that after he received the catalog for home computers from Dell that he immediately came to me to ask for advice…

Now I’ll get back around to what computer I help him select because I want this to sink in for just a moment…

My dad has a desktop computer,

that was purchased 13 years ago,

that he is still using…

And as for performance, it is working just as good today as it did when it was first purchased… Almost unbelievable! Oh, and he has no plans on replacing it either!

Okay, now as the commercials for miracle weight loss say, “results are not typical”… but they are not wholly unexpected. Let’s talk about this a bit.

My first advice to anyone purchasing a computer for home use, is to skip the big box stores, and even anything seemingly consumer grade. Everything in this real seems to be designed with a short lifespan in mind. Cheaper parts, poorer construction, etc. Not to mention all of the consumer bloatware that seems to come on them. So the first thing I tell everyone and everyone is to immediately go to a major computer sellers “enterprise” tab on their page, be it Dell or HP or whomever. Normally anybody can still just order these, and the benefits are more solid construction, longer MTBF and usually far less bloatware preinstalled. In this case, 13 years ago I had my dad purchased a Dell Optiplex Workstation.

Now if you simply did that, it shouldn’t be surprising to get 6+ years out of the hardware, to get over 10 years is to really be getting your money’s worth. Now truth be told, he did have to replace the power supply once but that was likely caused due to a recent series of lightning storms in his area that the little power-strip surge protector couldn’t really protect against.

But okay, let’s talk about performance… There are really two prongs to why this thing performs so well…

First, he uses his computer for just word processing — and printing — nothing else. Nothing online and he wanted his computer to be as secure as possible from such threats… So, that makes things really easy… Realize that if the computer is an island, there is no external connectivity – no internet, no USB drives, etc. Then it really is an island. What are the threat vectors in this case? None really. So, do you need patch management? Not of the system is working? Most ‘bugs’ patched these days are more about vulnerabilities, not functionally. And honestly, after 13 years, if there are any functionality quirks, he doesn’t seem them as such, but just work through or around them. It really is surprising to see how stopping patching significantly improves system performance and reliability!

For the record, I’m a huge proponent of patch management – but that is because in virtually all cases you have threat vectors you need to account for. But let’s pause for just a moment, and think about that — are there places or situations where you can vastly improve security and performance by outright removing a threat vector such as the internet? It’s also worth mentioning that because of this lack of patching, the 2007 Daylight Saving Adjustment was never patched on his computer. But there are ways to manually patch this yourself on such systems.

But beyond that, let’s talk about the statement that it runs that the same performance level. That is a true statement, although perhaps a bit misleading. Do you remember having to wait for Windows XP to boot up? I sure do. Although if you think back, XP made a lot of waves because it did boot much faster than prior operating systems of the day. But that aside, Windows 10 boots almost instantly. But that is what end users expect these days, my iPhone is instant on… The concept of having to wait befuddles us nowadays. So by today’s comparison, the computer is slloooooowwwww. But that is just my modern comparisons. But it works just as fast as it always has… After all, the processor is still ticking away at the same speed, and the software hasn’t changed at all.

The biggest reason it isn’t a problem for him is that he has no point of comparison. He is retired, the computer works the way it always has. He hasn’t worked on more modern, faster computers.

It’s also probably a mindset — my parents have hundreds of VHS movies. Sure, they have DVD and the latest blue ray discs. Mostly, however, because it’s virtually impossible to not buy a blue ray player. So sure, they’ve got the latest and greatest, and the quality is better than VHS. Although who knows how well they actually see with their aging eyes. But why throw out thousands of dollars worth of working (inferior) VHS movies and buy again higher quality movies, which, at the end of the day, is the exact same movie, story, actors, lines, etc., And most of those movies really were filmed using inferior camera equipment of the day… So is there really a big difference between Gone with the Wind on blue ray since it was captures with 70 year old, non-digital camera technology?

In the end its a bit of a philosophical discussion. Perhaps.

But what’s the takeaway from this article, if any? I would propose a few points:

  • Purchasing: realize that the enterprise gear is often worth it even for personal use because while it can be marginally more expensive, it can last far longer. I think his tower cost sub $500.
  • Security: Consider how in every environment security and performance can be improved by mitigating threat vectors. Remember that patch management is one tool we have to address threats and isn’t a panacea into itself.
  • Performance: Performance is very relative, and subjective. Each use application is different – purchasing or upgrading in blanket terms is wasteful. Each user, department, or situation can often be different and unique. Address them as such.

 

 

 

 

 

 

100,000 Mark

100thousand

I recently was reviewing some of the statics and discovered we have over 100,000 views not including search engine crawling. A couple of more interesting statistics:

Thank you to all of my readers who are enjoying all of the posts, and finding them valuable!  It has been a lot of fun sharing the technical information I have with everyone and helping give back to the online community which has taught me so much…

 

~ Enjoy!

Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

Welcome to Apple

Apple is recognized as one of the world leaders in innovation and bringing consumer products to market with outstanding success. While there are some amazing leaders at the company who are visionaries, including the late Steve Jobs, there is a lot more at play going on. There is a company culture which empowers all of their employees. I received a copy of their “welcome to Apple memo”, which, while short, is amazing powerful. It speaks to the culture of the company, where they encourage their employees with an enhanced sense of purpose.

In the book Drive: The Surprising Truth About What Motivates Us by Daniel Pink, which is backed up by several published academic studies, purpose is one of the driving factors of what motivates us in life. There is a shift taking place in workplace as it relates to motivating employees to improve productivity. Our industrial era management thinking says that placing a proverbial carrot (bonus, fear, or other monetary pain/pleasure) was effective when the labor required no cognitive thought (assembly line work), but as the nature of work in the majority of western countries evolve into positions requiring cognitive thought processes, the concept of the carrot provides worse results.

What Pink speaks about, which can be seen at TED, as well as animated at RSA, is that we are motivated by purpose, autonomy and mastery. This welcome memo to all new employees at Apple is an excellent example to reinforcing the culture of purpose.

Management Section Import

I brought over to this blog several (okay 50) blog posts I did back in 2007-2009 on management, business growth and managed services. The are now part of this website with the original date intact. Here is a quick highlight of some of those:

Customer Service is about the relationship between a great customer experience contrasted against minimizing corporate liability.

Employees is the old adage, slow to hire, quick to fire.

Spend money to save time – I share about the relationship between time and money and at which point it is valuable to spend money instead of time on specific tasks.

Building relationships is about cultivating key relationships with individuals who can help your business grow

Building your legal team – I share about the value behind establishing your legal team early, and before you really need them

Building a moat is sound advice from Warraen Buffet regarding building an economic moat to protect your business by creating a market differentiation

The Principle of the Mater is about the cost associated with doing something out of the staying “principle of the mater” instead of a sound judgement.

Virtual Office Space is how to provide a big business look and feel without the associated costs. This is a great option for professionals who can work from home, but need an upscale meeting place.

Changing Services speaks to the importance of keeping to your key areas of expertise and avoid branching out unnecessarily after money.

The Counter Offer is about the growing trend in attempts to retain departing employees, and the risks in trying too hard to keep them at your company.

Enjoy!

2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 20,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 7 sold-out performances for that many people to see it.

Click here to see the complete report.

The Counter Offer (part 2)

I just completed importing several older blogs, and among them there was one titled The Counter Offer. This is the second installment of that article which was never published. In that article we discussed that a growing trend is to offer departing employees a counter offer in an attempt to retain their skills. However, often these efforts are risky and do not necessarily ensure that we have the best environment moving forward.

With that stated, it begs the question, “so what should we do with departing talent.” The best thing you can do is typically let them go, unless you have a short term strategy to retain them just long enough to replace them.

So beyond that, what are you to do. It is an excellent opportunity to a very open and honest exit interview. Beyond simply their manager or HR performing the interview, consider having someone they trust such as a different department manager, supervisor or even a peer. The goal is to obtain the best information on why they are really leaving. From that data, it should be incorporated into a 360 degree review of the department, manager and organization as a whole. How does the departing employees fit into the organization as a whole.  Typically if you were considering a counter offer this isn’t an employee you typically want to loose, and you find value in what they bring to the company.

Usually the first great employee leaving is the tip of the iceberg and we need to pay serious attention to discover what we’re doing and if we need to adjust our employee retention process. What? You don’t have a formal employee retention process? It is time to start putting one together. Here are a couple of ideas for you:

First, you don’t need to begin with compensation. Most managers who have the title because of a natural promotion instead of training or education, begin with compensation. As a matter of fact, several well published studies outright say that financial reward for performance, when even minimal cognitive skill is required, results in worse performance. Yes, this is opposite of our expectation. In our industrial era mentality, we have been raise to believe that the effort-reward system works. That bonus program is successful when we are talking about tasks which do not require cognitive thought. Areas such as assembly lines or manual labor. But the moment individuals are required to turn on their brains and use their thoughts to create productive results, money has a negative affect on performance.

What researchers have discovered is three things which lead to better performance and personal satisfaction, and isn’t that key to retaining talent:

  • Autonomy
  • Mastery
  • Purpose

Evaluate for a moment in what ways you can encourage your staff to be more autonomous (which isn’t working solo, but rather self directed); mastery (which is enabling them to become an expert at something); and purpose (the “why” behind what they get up for everyday, and it should be a paycheck). Take a look at this YouTube video: The surprising truth about what motivates us.

The next area is understanding the workplace environment. It is amazing how much the culture can impact the overall workplace satisfaction. The late Stephen R Covey, in his book The 8th Habit shares about the 6 cancers which inhibit greatness in people which include: Cynicism, Criticism, Comparing, Competing, Complaining, and Contending. This is something that is best change from the top down, as well as identify several key people in your organization at the lower levels which can be intentional about building a positive workplace environment. Also understanding how your current management processes might be encouraging these cancers.

A second perspective on the workplace environment is to understand the actual physical working space. Do your employees have the tools they need to perform their jobs, do they have the basic environmental needs met. Environmental change can be something as basic as ensuring a clean, working (non broken) environment, to very elaborate office setups designed by professional workplace designers. There is one place where in the bathroom, for years, the mirror wasn’t hung on the wall, the hand towl dispenser was broken so it was just a stack on the counter, and the TP dispenser was broken as well. Seemingly unimportant things, but it is has a slowly deteriorating effect on employee morale and pride in their workplace. A quick coat of paint, and basic maintenance made an immediate improvement in several employees pride.

Finally we get to compensation. It is always surprising to many people that this is at the end of the list. This is also surprisingly more complex than many people thing. Again, lets take a look at the first section about motivating people. Simply a bonus or higher hourly wage isn’t sufficient to improve productivity or worker satisfaction. There are two factors on compensation I’d like to focus on:

(1) is to take the issue of money off the table, employees should be compensated at a level which meets their needs, as well as provided measurable and predictable control over their compensation. An excellent tool I learned from Michael Brand, Executive Vice President at Cornish & Carey Commercial, was that he would have his team members interview with 3 competitors each year. They were required to report back on how those interviews went. Can you imagine! Encouraging your team to seek out the competition. That takes boldness. There are two takeaways from that exercise. First is that it forces the employees to evaluate their own real value in the marketplace. Many people have higher self-worth than is accurate, an interview forces that into reality, causing them to take an honest look at themselves, it can be very humbling. Imagine how your annual reviews would go if they were first required to have interviewed at three different competitors. The second was the other side of the same coin, this is the point where your organization is forced to evaluate how good is your environment to your employees. What are you doing to motivate employee loyalty?

(2) is to understand what would motivate them financially aside from their paycheck. Several places have employee owned companies or profit sharing plans. A recent survey of web developers showed, to my shock, that profit sharing was dead last in their different things which they care about, second to that was medical benefits (the group was primarily 20-somethings-think-they’re-invincible). For some employees compensation may come in the form of more PTO, better break room perks (free lunch, booze, etc), free massage or car wash. Some companies offer company vehicles, cell phones, laptops, etc. One company, Atlassian, actually gives you a one week vacation before your first day of work!

The overall goal is to ensure that you are ensuring a positive outlook and capturing the potential to become even greater with every change. Learn from departures, and bring about positive change in your environment. Not all employees who leave are those which you want to change your culture over, in fact, the majority of employees that leave are going to be incidental and insignificant to the company. However those employees which you would want to keep around, those which you have been tempted to offer a counter offer to, are the ones you can really learn something from.

In summary, be sure to capture the real reason why an employee is leaving, and leverage that to create an atmosphere where people want to stay and are not tempted to leave. Understand what motivates people is autonomy, mastery and purpose; create an environment free of the 6 cancers; ensure your environment is something you can take pride in; and finally understand compensation transcends the paycheck.

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

Powered by WordPress.com.

Up ↑