Hashed Passwords

Something making a lot of news in the papers recently is compromised usernames and passwords. This has been seen from companies such as LinkedIn, Yahoo and DropBox. In some of these cases they are storing passwords unencrypted, so that once someone captures the data, they know you actual password. And since many people share passwords among accounts (using the same password for LinkedIn and Facebook) it opens your account to be compromised on multiple systems. This is made worse when more sensitive logins, for back accounts or your work e-mail is the same password you used on Facebook.

One common technology used by web developers and programmers in general is to NOT store your actual password but rather to use a hashed version of your password. Hashing is a form of one-way encryption where once has been hashed it cannot be reversed out (hence the one way part). It also is specifically designed so that there is no two inputs which can create the same output. In fact, even a single character difference usually results in radically different outputs. So this often used so that nobody, not even the database needs to know your real password. All that they do is when you enter your password at login, it will run the password through the same hashing algorithm and then make sure the output matches what is stored in the database for your password.

To make this more secure, many web developers will also add “salt” to the hashing process. That is, they add some extra information to your input before it is hashed. Then benefit of this is that as long as the salt is kept secret, it makes it significantly more difficult for your actual password to be discovered.

What brings this to mind was something I recently encountered today. I forgot the password for a specific online portal that I rarely use, and since I never document passwords, it is really all left up to my memory to recall. Typically when you go to a website and click “forgot password” they will e-mail you a new password or a link to create a new password. However in this case, they e-mailed me my password. What this illustrates to me is that they don’t actually hash their passwords, and don’t likely encrypt them either. With this, I can know, for certain, that it is possible for someone at that company (or someone with malicious intent) can access my passwords. This is very concerning.

In the day that we live in, it is very important that we ask our vendors to be using more secure methods for storing our passwords. If they can tell us what our passwords are, this is concerning.

Also, since we cannot always force a vendor to do something, please remember to be vigilant in how you handle passwords. Avoid using the same passwords online, and ensure that you are changing them periodically. If one of the services you use (such as LinkedIn) has a data breach, be sure to change all passwords for places which you used that password at.

Enjoy!

HIPAA Compliance & Faxing

The primary objective of HIPAA is that health organizations have the infrastructure and procedures – administrative, technical and physical – that allow them to safeguard patient health information from any kind of exposure or disclosure to unauthorized parties when this information is required to be transmitted or delivered to authorized individuals.

HIPAA does not prohibit the use of fax machines to communicate PHI; however the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

The security provisions of HIPAA require “reasonable” efforts to make sure that the information delivery via fax has been sent securely and was received securely and by the person intended.

HIPAA makes a number of demands to ensure that patient health information is properly protected. These, in relation to security and privacy, include:

•All fax machines are to be placed in a secure area and are not generally accessible.
•Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
•Destination numbers are verified before transmission
•Recipients are notified that they have been sent a fax.
•Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
•Any patient data should be in the fax body and not in any of the data fields.
•Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
•Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
•Confirm fax delivery by phoning the recipient.
•Received faxes are to be stored in a secure location.
•Maintain transmission and transaction log summaries.

IT Services Policy: Billable Hour

This is to help define what activity is billable versus non-billable activity under a typical Managed Services Agreement (MSA/MSP). Beyond the obvious that activity which is for the direct benefit of a client, and that activity relates to either an hourly billable event and/or counts against a contract – that activity is considered billable. However here are some additional examples of each:

Billable

  • Company internal work which is assigned a ticket from the IT Manager
  • Client work (ticket & project) which is assigned a ticket from the IT Manager
  • On-site, remote and bench work which is billable to the client
  • In-office prep time for billable on-site time (pulling equipment for install, etc)
  • Warranty work for “completed” tickets performed by someone else
  • Travel time to/from clients, except for before/after work/lunch periods.
  • Design & Implementation meetings for clients – “here is how we are going to go about backup”.

Non-Billable

  • Training, education, conferences, etc.
  • Corporate meetings, one-to-ones, etc.
  • Warranty work for “completed” tickets performed by yourself.
  • Client “touches”: stats updates, “hi”, proposals
  • Training meetings regarding clients – “here is how you….”

Technology Policies/User Passwords

It is the general policy that the IT staff does not need to know the individual user passwords and will take every effort to ensure that we do not keep this information. As a result, whenever we need access to a users account, we will generally choose one of two options:

  1. Have the user (if available) enter in their password; or
  2. Change their password on the server, and when completed, set the password to “require change on reboot”.

It is important that after a users password has been reset, that the following process be followed to notify them of their new password:

  • A note (preferably type written) explaining that work has been completed on their system and to check their voicemail for their new password.
  • On their voicemail, leave them their password (repeat slowly twice) and inform them that they will be prompted to change it when they next log on. Additionally, if they have questions to contact the office.

Technology Policies/Network Printers

Network Assignment

To properly configure network printers initially on a windows network:

  1. Leave printers setup in DHCP
  2. Check DHCP server and use the MAC address information to establish a DHCP reservation. Remember to set the reservation in ‘all’ DHCP servers.
  3. Restart the network printer as necessary
  4. Add printer on server via TCP/IP address
  5. Deploy via Group Policy

Color Network Printers

  • Configure default color setting as “black & white” which will force the end users to choose color only when the want it.
Rationale: From experience, users will not elect to go through the extra steps required to select black & white when printing and e-mail or website, even when color is not necessary. However, these extra color pages can contribute significantly toward the number of annual color pages.
  • Color printing access: depending on the printer/MFP device, along with its drivers, there are several options to restrict color printing.
  1. Use the printer configuration for access control lists within the printer itself, which will then require a “code/password” on each client’s workstation to be setup.
  2. Create two different shared printers on the server, one of which is black & white only (color disabled) and then use windows ACL to determine who has access to which features

Technology Policies/Guest Users

We’re starting a new series on Monday called “Policy Monday” to help share common technology policies. This week we’ll start with Adding Guest Accounts to the Network.

The following is a general guideline for creating guest user accounts on Active Directory based Windows network.

  1. Create a new Guest Organizational Unit
  2. Create the guest account:
    1. If it is a role account (several temps performing the same job) then create a “role based” username
    2. If it is restricted to a single user for a short period of time, then create a “real name” based username
  3. Set the account expiry to something reasonable
  4. Set the change password on next logon and assist the user with their first logon to the desktop.

Magic Touch – Customer Service

magic hat and wand with clipping pathThis process known as Magic Touch relates to the customers experience and viewpoint regarding our on-site service. Specifically, it is the illusion of our ability to magically fix technology problems without panic or stress. This results in an end user perception of professionalism and experience.

However in reality, a great majority of the problems we will be asked to resolve will be relating to software, hardware or problems we have never seen before. Our professional illusion is maintained by out ability to properly handle these instances. Below, is a methodology which is common in the industry, and the terminology taken from Adrian Grigorof, B.Sc, MSCE.

Continue reading “Magic Touch – Customer Service”

Monitoring employee activity

i found you!A request that comes around a couple of times each year is a client who is looking to monitor the internet activity of their employees. I’ve been helping clients with this for years, but the first place we always start is the employee handbook: do you have a policy to permit your monitoring. Why you ask. According to the trial courts of California, your employees have an implied sense of confidentiality because they use a password on their computer. So, what can you do? A couple of options. One would be to amend your employee handbook. Another would be to have a written computer use policy. Beyond simply settings yourself up to monitor this activity, the mere fact that you publish this policy will be a strong deterrant to your employees.

So, what should you include in this policy…

  • The computer network, servers, computer and internet is the property of the company
  • Information created, stored or transmitted through the company network is subject to inspection and monitoring
  • Personal computer or other technologies, which are connected to the company network are subject to monitoring and inspection
  • There is no assumption of confidentiality for any activity taking place on company resources
  • The personal use of the company network is {discourage, prohibited, permitted}
  • The use of the company network for illegal activities, including p2p filesharing, is prohibited
  • Company harrasement policies include electronic forms
  • The company may backup, make copies or otherwise duplicate any information on any equipment connected to the company network
  • Management, at it’s discretion may monitor, track, log or otherwise review the use of the company network, including internet and e-mail activities.

As always, be sure to consult your business attorney before implementing a policy of this nature, as well as before taking any form of monitoring actions towards your employees. The illegal use of monitoring of employee activity may not only nullify any sort of disciplinary action, but may also open your company to legal action

NON-COMPETITION AGREEMENTS (NCA)

Non-competition agreements have been standard for many trades throughout the capitalistic history. However, at some point California, being an at will employment state ceased to recognize these documents as binding. The logic is that an employer should no be able to restrict a person from taking a traded they know and using their skills at another company. Equally this applies to employees starting their own firms. How many of us have been apprenticed by another, perhaps even working as an employee at their firm.

While the business logic for a NCA is apparent,  California does not enforce these agreements.

So what is an employer of contract services to do to prevent employees from stealing clients from their former employer? There are a couple of things:

First thing is to make your clients a raving fan of your company, it’s model and brand. Your company brand should be disassociated from individuals likes – yes, they should love your people and have a great working relationship with them; however they should love what the company brings to them even more. Beyond simply avoiding problems with former employees, or even simply because of great customer service; this can make it much easier to exit your company (sell, merge, etc) when the time comes.

Next, market your customers with the value of a larger company (or simply larger than an independent contractor) – such as greater stability, higher availability, diverse skill sets, etc.

Third, remind your staff of the high costs of doing business, the value you provide to them: job and income stability, benefits, holiday and vacations (even if unpaid, they have a job to come back to – try taking a 2 week vacation from your contract clients without problems), administrative and business services — they can simply focus on their trade instead of the business end of things.

Finally, you can bind your clients in their contracts to not recruit, hire or retain your employees, former employees or contractors during the duration of their contract with you, and perhaps 1 year thereafter. This can simply be placed in line with your regular contract terms, but you also want to include two important elements: (1) a stated minimum monetary amount (we placed it at 50% of the annual salary of their regular technician) and (2) a provision for you to receive reasonable attorney fees. Most clients will understand this in the onset of an agreement. You can also gently remind your employees about it – in a non-threatening way.

Now failing all of these, you can likely litigate with your former employees because they’ll likely violate terms of their non-disclosure agreements. But proving this and determining a monetary damages could be difficult.

Realize that this does not prevent this from happening, but rather it is a big deterrent. You also still need to collect from them, which will take much longer than you would expect. With major clients this could be devastating to a company. What would happen if your employee was able to woo your largest client away? How would this affect your business if you could not collect any monetary damages from anyone for 24 months?

We recommend being proactive by making sure that your clients are happy and fiercely loyal. Second to that is having your contacts reviewed by a business trial lawyer.

—-

This is not intended to be specific legal advise, but general information and a guide to help you work with your professional team including lawyers to provide the correct amount of protection for your company. This is part of a 4 week series which came out of a luncheon discussion with several close business associates of mine.

Powered by WordPress.com.

Up ↑