How to Implement Zero Trust for RDP & RDS

Interested in finding out more about The 20? Click here.

What’s the Difference Between Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA)?

by Sage Driskell

All Two-Factor Authentication (2FA) is Multi-Factor Authentication (MFA), but not all MFA is 2FA. Multi-Factor Authentication works on the principle of using multiple pieces of secret information in order to verify identity. Standard usernames and passwords can be brute forced, but using a separate piece (or more) of information makes this more and more impractical. Some MFA schemes will use secret questions (effectively extra passwords), or a one time key from some kind of authentication application.

MFA and 2FA are a prerequisite for security anymore. It used to take days to guess an 8 character password, now it takes literal minutes on a $35 Raspberry Pi. Everything requires a password, and people can be lazy and recycle passwords. If a user’s password is compromised for one site, who knows what other accounts are now compromised? Even the most trivial 2FA or MFA solution can reduce the impact substantially.

How Does MFA Work?

MFA (and by extension 2FA) add a protection scheme based on knowledge, possession, or biometrics.

Knowledge

This form of authentication relies on a knowledge based challenge. This can be an extra password, a security question, or some other type of challenge. The goal here is to buy time without inconveniencing the user. By adding a separate password, an attacker has to gain access to both passwords, and avoid locking themselves out trying to do so. Some challenges will have multiple potential knowledge tests to make this more complex.

Some of the first MFA I ever worked with was through a bank. The bank had a list of 20 images which you picked from and added a description to. Each time you logged in, it would give you a subset of the images, you picked the one you had, and then it prompted you for the description. If you got it wrong 3 times, it locked the account for some period of time. My password got hacked plenty of times, but my account never did. Even something this low-tech ended up stopping dozens of potential breaches.

By having you pick the specific image first, it tested your knowledge. The prompt would then pop up no matter what was picked. This method is somewhat safe, but not foolproof by any stretch of the imagination. A single incident with a keylogger could get everything.

Possession

Possession challenges rely on the physical possession of a device or some other item. This can be a USB key or a device which generates a code. Most things people think of as 2FA are generally going to be a password based on possession of an application which generates a one-time key.

Almost everyone has something like Microsoft Authenticator or Google Authenticator on their phone for work or just general security. If someone manages to compromise your computer, they don’t necessarily get your account outside of the current session. Using a separate device to authenticate mitigates the effectiveness of a keylogger or of a very coordinated attack to gather information on a target. A user can tell someone about their first pet “Mr. Fluffikins” (coincidentally their security verification answer), but if I tell you my authenticator says “224 544” right now it does absolutely nothing to getting through MFA on my account.

Biometrics

Fingerprint readers, retina scanners, facial recognition, etc. are all forms of biometrics. Biometrics rely on inherent properties of the user. This works for and against security though. A mask can fool facial recognition, while a carefully crafted gloves can trick the fingerprint reader. Biometrics are inherent properties, so the entire method needs to be changed if they’re compromised. Collecting biometrics for work and similar also presents privacy issues for their storage and usage.

Which Method Works Best?

Most standard 2FA solutions use the principle of possession, but this doesn’t mean it’s objectively the best method. Each of these methods performs a balancing act between convenience and security. Knowledge is the easiest to get and easiest to track without extra equipment. Biometrics are the hardest to copy (at present, deep fakes and technology aren’t helping here), but they’re also impossible to (practically) change. You can’t just grow new fingerprints. Possession strikes a balance. An item or a device can be revoked, but users have to account for an extra device. If you forget your phone, you’re out of luck.

Possession is the most practical at present. Having a physical device means that stealing a one-time key or password is near useless (unless the algorithm can be cracked), and the device can be revoked if it is physically misplaced or stolen. We use the principle of possession (and a degree of knowledge for an added challenge) for ID 20/20, our in-house MFA solution. The trick is using a device someone will (almost) always have and a way to authenticate without inconveniencing the user.

Why Is MFA So Important?

Phishing and social engineering are some of the biggest security threats to businesses. MFA helps neuter phishing and social engineering attacks by adding a layer that an end user will struggle to give away. It’s easy to type your password into the wrong box, but how do you give your phone or a USB key out too? You also know almost instantly when one of these devices is missing.

You can try and train end users, but people don’t always listen and don’t always want to learn. It’s hard to tell the difference between l and I, or why it matters if a site is .com or .org. What does it mean if a certificate is invalid? Most users don’t know, and more importantly, they don’t really care. They see an email saying they have to “act now” to prevent a catastrophe and they act. Attackers prey on ignorance and emotion.

MFA throws a wrench in the gears for this. The username and password are only two of the three parts to the key. Without the third part, the whole exercise doesn’t accomplish much for its direct target. If 2FA or MFA in general is available, enable it. If a product doesn’t offer MFA and it’s going to have personal information or other sensitive data, ditch it as soon as possible.

Using More Factors

The more factors in use for authentication, the harder it is for an attacker to get in. The more important information is, the more factors which should be in play. Ideally, use multiple challenges. Have a secondary knowledge test on top of a possession based challenge. Stack the odds in your favor.

A targeted enough attack might get the username and password, but it’s harder to get MFA information. Harder, but not impossible. Your user might tell someone their mother’s maiden name or it might even get breached from a targeted attack elsewhere. The more unrelated pieces of information and unrelated challenges there are, the harder it is to actually breach an account even if the credentials are leaked. Your mother’s maiden name doesn’t help much when it’s necessary in conjunction with a one-time password.

Using MFA

MFA is often seen as a hindrance and an inconvenience, but it’s more important now than ever to use it. Apply MFA where you can to reduce the attack surface for a given product. If you are helping your client find a MFA solution, try to go with something they use already. Don’t go with Google Authenticator if they have to use AuthAnvil already if you can help it.

You don’t want your bank giving away your money to the wrong person, and you don’t want your users doing the same to their employer either. Present MFA implementation as a protection for the client’s business rather than just a plain “security measure” with cryptic “future risks”. Don’t introduce a technical solution without making it mean something to the client. If you frame MFA the right way, clients will jump on it, but frame it the wrong way and it becomes an inconvenience with no tangible benefit. Sell MFA as a good business move.

Make MFA work for your client and not against them. Even an extra password or some other knowledge based challenge is going to be better than nothing. It doesn’t have to be over the most efficient solution, it just needs to work and provide security.

by Sage Driskell

Common Phishing Techniques

“Microsoft Support” | This is an extremely common scheme that many people fall for. Someone receives a call or email from “Microsoft” saying they’re compromised, and the “technician” helps the user allow them to connect to the machine in order to compromise their system. A lot of times, they leave behind malware or other remote access tools which they can use to later harvest information. They also typically charge for their “assistance” and collect data either via an invoice or on the phone.

Bank Emails | This is the most well-known phishing attempt. You get an email “from your financial institution” and the domain is usually close to the original, but always a bit suspect. These pages are identical to the bank’s page as well. The easiest way to avoid these is to always log in to the bank site directly rather than doing anything from an unknown communication from them unless you specifically know an email is coming (e.g. password reset).

IRS Emails | As we know, the IRS is almost impossible to work with, so they won’t make your life easy to just call you and square everything away over the phone or via email. These types of phishing attempts typically involve “the IRS” reaching out to you about a “tax issue” and they’re glad to either collect information (including your social) to “process your case”, or in some cases, they’ll take money to help “pay off the owed sum today only”.

Compromised Service Emails | These are a “warning” from a provider that “the service may have been compromised” and they need your details to continue. The login page is usually either really good or else really obviously bad. There is very rarely a middle ground on these. They will sometimes include a specific email or form to make it easier.

Fake Invoices | This is a fake invoice requesting money for some service. These are commonly used to target companies. The invoices are usually extremely generic, may or may not ask for personal details, and target companies where it is easy to miss a small expense.

419 Scam | These used to just be scams, but they’ve grown in some ways. The goal is to get both your money and your identity. These will typically be a business venture or something, but unlike classic 419 scams, they don’t just start asking for $10k for your $10mil “which is stuck in processing and needs the money to be released, Western Union only please!” These will start out as small investment opportunities or similar which may actually show some signs of legitimacy before the big hit.

Spear Phishing | You know that cool flash drive or CD you found in the parking lot near your sensitive workplace? It may be infected with malware or spyware to try and infiltrate your environment. That is the most common spear phishing technique at present. It’s literally just a cool looking piece of media loaded with all sorts of malware.

Signs It’s a Phishing Email

The first thing to look for in any questionable email is this: is this someone I do business with? If you don’t have an account, you obviously have no business receiving their email except as spam. Another thing to look for is the trends of the institution. What I mean by this is, if you’re dealing with a bank, they don’t want you to email them a form. Look for obvious grammar and spelling mistakes. These can be telltale sign that something is amiss. Most financial institutions and similarly private types of institutions want you to sign in and fill it out on their page and will almost always have an internal way to do this from their login from an internal messaging portal or similar. If in doubt, log in directly and look and see if this is a legitimate communication. If it is, you may still be compromised and should still take caution.

Another thing to look at is the domain. Does the domain match the exact one you use for your bank or similar? The names may be very close, but they tend to have some minor issue with them or will redirect through something else. Just because it looks right doesn’t mean it is. You can also check the SSL certificate to see if it is legitimate or not, but that’s a bit more complicated.

Any service which is reaching out can also be called or otherwise contacted to verify the legitimacy of a claim. No one has time for every communication, but anything which looks pressing may be worth trying to communicate with the vendor or service over. I personally just ignore everything unless I get officially contacted about it or know it’s coming.

Another strategy I use is different email accounts tied to specific services. I work with one bank with one account and another bank with a different account. I know I can only receive one banks communication on a specific email, so anything on the other email is obviously a trick. Using email accounts only for specific accounts (and literally nothing else) helps well since you have a lower chance of the email being leaked, but this does require more effort and upkeep.

Further Signs

For more advanced users, you can look at the email headers (to do this in Outlook, see: https://www.technipages.com/outlook-view-message-headers). If you see something like the following message:

We can see that this is coming from a [email protected] — which I have no idea what that is — and the email to contact is [email protected]. The domains do not match and neither of these have anything to do with Publisher’s Clearing House. I could not find a specific phishing email in my mailbox with forged headers, but see something like: https://www.alienvault.com/blogs/security-essentials/how-hackers-manipulate-email-to-defraud-you-and-your-customers for an example of what to look for. There are legitimate uses for a “forged” header, but this is typically for bulk mailers and similar, and is rare with official communication.

Another thing to look at is the TLD. If the TLD is foreign for something which is US only, you can almost guarantee the email is a phishing attempt. If the TLD doesn’t match the actual company TLD, then you probably have an issue too. Apple.net is not Apple.com. Tech giants like Apple will tend to nail down sister domains, but smaller companies usually don’t have the resources to do this.

Another trick is to copy and paste the domain from the email into something like: https://www.diffchecker.com/ and then copy the domain from the email. You might get something like:

This is obviously a phishing attempt since the domains do not match. With the right font, these are somewhat obvious, but a common tactic is to use Unicode characters or similar characters in another language in order to get around this sort of limitation. This technique helps weed out some of the more obvious tricks, but you should still check the headers.

How The 20’s Security Offerings Mitigate Phishing

Vipre Email Security

Vipre Email Security is the new name for Fusemail. This service blocks both malware and phishing at the source. You don’t need to worry about a user clicking on malware or getting phished if they don’t even see it in the first place. Setup is easy and convenient and is pretty much ready to go (that is, no crazy lists or other hoops like some services) once the initial setup is complete. No solution is perfect however, so training and combination with a tool like OpenDNS makes this tool substantially more powerful. Vipre Email Security gives you the control to throttle scams and phishing attempts in order to keep your clients safe.

OpenDNS

OpenDNS isn’t typically thought of as a way to mitigate phishing attempts, but it works great against fake portals. OpenDNS is easily configurable and scalable for agents at your client’s sites. It prevents the few phishing attempts which get by from being as impactful. There are caveats to this however, but we have seen many tickets from confused users unable to submit their sensitive data to scammers. OpenDNS is flexible and easy to deploy to individual agents or across a network. From a domain environment to workers in the field, OpenDNS has an option to get you covered.

Deep Instinct and Huntress

Deep Instinct and Huntress help prevent and remove compromises from the inside which can lead to legitimate emails becoming weaponized into near impossible to discern phishing from legitimate accounts. By preventing infections, you prevent data leakage and lock down on threats which may threaten your client’s systems with ransomware as well as keyloggers. Deep Instinct and Huntress are like Yin and Yang. Deep Instinct is the prevention, Huntress is the remediation. Find exploits on new clients and help lock them down preventing more seemingly legitimate, internal threats which lead to phishing and worse.

To learn more about The 20 and how we can help your business, be sure to check us out here!

by Sage Driskell

MSPs large and small are systematically being targeted over and over in the news. It’s almost weekly a new article comes out about a given large provider being targeted. Many of these attacks come from API weaknesses. You can’t control the provider or service, but you can minimize the chance of these attacks impacting you and your customers.

Leaky APIs

Leaky APIs are APIs which allow easy exfiltration of data from a service. These exploits often stem from deprecated APIs or privilege escalations. Many deprecated APIs exist in products for backwards compatibility, but they often come with caveats and holes.

Privilege escalations can happen on APIs due to loose queries which can return data from outside of their scope. Other escalations rely on multiple APIs which accidentally return data outside the scope a user can see normally due to their interactions. A deprecated API may help break another API when glued together with the wrong product.

These types of attacks are often used to harvest credentials or information for attacks later. Stolen passwords can be used on any similar account on multiple platforms to see what is shared. Hackers glean data which makes their later attacks easier either for traditional attacks or for things like phishing attacks.

Weaponizing APIs

With the creation of things like fileless malware and easy, privileged access via RMM tools, weaponizing an API has never been easier. Other products like Webroot have been had similar incidents from adding the feature to run commands remotely. This feature creep combined with API access makes these tools further targets.

Most products rely on various SQL products for databases. Many APIs where the developers are not security conscious will be a thin layer between the user and raw SQL queries. These can be weaponized to poison the data allowing greater access or to exfiltrate useful data. Depending on the product, it may be possible to insert hostile, arbitrary code which gets run by something within the API. Some RMMs even store scripts as blobs in the database.

How Do These Attacks Happen?

These attacks happen because of lax security policies on both sides of the equation. Many vendors do not take into account the ramifications of the access their API can provide. Vendors which integrate their products may ask for more permissions than they should need to function. A lot of permission sets are too permissive in general because its easier for the developer and the user to set up.

Clients of these products often fail to limit users enough. API users floating around provide an easy in to a company if they are compromised. Sometimes, the way multiple APIs talk to one another may be targeted as well. A simple return status from a query in a limited API may provide information that the other API would not normally have given. A simple boolean reply may provide a necessary bit of information for a malicious actor to work off of.

What Can You Do?

Removing unnecessary API users or users which may have API access is one of the easiest steps to protecting yourself, even from APIs outside of your control. Turning obsolete or unnecessary API versions, or even entire APIs off, is another great step. Use it or lose it. Trim off enough of the fat, and the hunter will target easier, more profitable prey.

Shrink your attack surface to shrink what you have to keep safe. Besides just trimming off the obsolete, scope your API users. An API user which only reports from a product doesn’t need write access. Your users need Two-Factor Authentication (2FA) everywhere possible. Do not share credentials between API users and do not recycle user names if you can help it. These basic steps have headed off many attacks before they even have the chance to become a threat with very little imposition on our technicians.

If you run products in house which have an API you use, try blocking traffic based on IP for whatever is using it. This isn’t always possible, but can often be used to limit certain service APIs to specific, known entities which limits the impact of a leaky or broken API. Rate limiting connections is another great step. If your average client hits 5 requests per hour, why not set a limit of 10 requests per hour so that brute force attempts take significantly longer? Alerting on these thresholds is another great step, especially if you control something in the stack which can see this.

Researching Products

No product is going to be perfect, but you can shop around to minimize damage. How does your current product handle exploitation? Are they quick to report it or do they take their time? A vendor which reacts fast, may still get hit, but at least you’ll know before your clients do and be able to protect yourself.

A vendor which tells you about an exploit quickly is also a vendor which works on fixing it quickly. Look at the vendor’s response history and how long it takes them to clear out serious CVEs to know how big a threat they are to your business. If they can’t keep up with serious vulnerabilities which are reported, what else are the missing that’s not reported yet?

Always be on the lookout to how a vendor impacts you and your clients. A vendor which never has real access is easier to trust than one which can make system level changes. Look out for how they handle older APIs too. A vendor which leaves deprecated features in too long runs the risk of being exploited down the line.

Ask your vendor what they do about older versions and whether or not they rate limit requests and accounts. See what the scope of their API access is. The irony is that those proudest of their APIs open access will usually be the first to tell you about it. Weigh this with your other options and the impact on your client before signing.

Our Strategy

We minimize unnecessary API interaction and work to maintain best practices to prevent exploits. When an API becomes obsolete, it is removed from our system where possible. API access is also further limited for fixed entities to prevent more wholesale access from being available off premise. Users need 2FA to get into basically anything. These patterns heavily minimize the attack surface with very little maintenance. Our large community contributes to helping make sure every potential exploit is known as soon as possible.

Our Security Focus

We focus on a holistic approach to security, and try to stay ahead of exploits and reduce the risk of any given component. Your security is only as strong as its weakest link, so you must be vigilant. Prevent unauthorized API access by preventing any access unless necessary. We want to know about an exploit as soon as it is public, if not before and be able to react to it.

Cutting off your finger is better than losing your arm, but not having to lose either is best. Prioritization of exploits is extremely important to surviving in the modern security landscape. We’re well past the days of “perfect security” even being a pipe dream, let alone realistic. We work to hedge our bets and make our platform the least ideal for hackers without sacrificing functionality. An ounce of prevention, even if it’s bitter, is a lot better than a pound of cure.

Going Forward

Stay ahead of hackers by locking down every aspect of your security. APIs are one of the most often overlooked, easily exploited part of many products. Almost every major software product is going to have an API of some kind too. Know what you’re dealing with and limit the damage where you can. MSPs have become low hanging fruit to many hackers, elevate your security and elevate yourself from being next.

Our very own Sage Driskell is a Core Services Engineer at The 20. Interested in working for us? We’re hiring!

Five Concerning Breaches That Started With an Insider Threat

by Christine Izuakor

Human beings have been dubbed as one of the most significant risks when it comes to cyber security in organizations. Behind every breach is a human or entity orchestrating an attack to make it happen. Within the affected organization, there is usually a human action that leads to the success of an insider threat attack. It could be a careless employee that clicked on a phishing email, a disgruntled employee that leaked confidential information to a competitor, or someone who wrote their username and password in a notebook that they lost while traveling. The list of events goes on and on. With so many examples, we have an opportunity to learn from all prior blunders and avoid this fate. Here are five notorious breaches that started with an insider threat.

IBM employee attempted to sell company software source code to undercover FBI agents.

A Chinese National working for IBM was one of a very select group of employees who had access to propriety software code being developed for a product. The area of the network where the company stored this information was heavily guarded. While these firewall and network security protection mechanisms could help keep unauthorized individuals out, most companies don’t build these environments expecting to have to worry about the authorized employees who are actually working on the product. In this case, IBM should have been very worried.

To financially support himself and give back to his country of origin, he quit his job, took a copy of the software code with him, and offered to sell it to China. United States officials caught wind of the Insider Threat and staged a meeting with undercover FBI agents where the Insider shared the stolen source code and even offered to edit it to remove any traces of IBM. Shortly after the meeting, he was taken into custody and eventually sentenced to five years in prison.

Understanding what people are exporting and copying from your network and having visibility into employee activity is one of many ways to prevent this type of attack.

A third party employee from a Target supplier clicks on a phishing email and impacts 70 million people in the process.

Undoubtedly one of the most talked about data breaches of the century in the security community, the Target data breach started when a third-party employee clicked on a phishing link that helped attackers get into the HVAC vendors network and eventually hop over to Target’s network. This event shed light on how it’s not just our own employees that we need to worry about, but that third parties matter as well. This was also a case where while the Insider did not have malicious intentions, this mishap from a distant Insider inflicted considerable damage to the company.

There were a host of factors that contributed to the success of this attack, but the biggest one being third-party security and account monitoring. For example, Insider Threat detection technology can provide insight into abnormal administrator accounts being created and the action taken on those accounts – activities that played a role in the success of this particular attack.

Trusted security engineer from Facebook abuses his access to stalk women online.

Cyber security professionals have a duty to protect people in the virtual world. These employees often have the most elevated access and require the most significant diligence to ensure that power is not abused. In Facebook’s case, a security engineer who dubbed himself a “professional stalker” and claimed that in his line of work he tries to “find out who hackers are in real life,” also eluded to using those same behaviors to find women in real life. This lapse of moral judgment and abuse of power added to the string of unfortunate headlines regarding security for the company, further impacting the company’s reputation amongst the user community. The engineer has since been fired.

While this may be harder to detect and prevent, correlations in activity and User Behavior Analytics may have given the company a heads up on the employee’s anomalous activities.

An insider at Punjab National Bank fraudulently gets banks to cough up $1.8 billion.

An employee at Punjab National Bank made this breach possible due to a series of gaps in security. The employee was able to organize the issuance of fake letters of understanding, a type of loan request, which prompted two banks to provide loans to PNB. The primary employee behind the Insider attack admitted to having unauthorized password access to the SWIFT system to issue these fake letters. Typically, only a select group of senior leaders in the company have access to these credentials. He also admitted to sharing that password with other users within the company, as well as staff at the third-party diamond company who orchestrated the bigger plan.

The breach shed light on the importance of governance, risk management, auditing, and the ability to cross-check system information in banking and finance. Visibility into the improper access the employee had, and the activities conducted under his login could have enabled the company to detect this earlier on.

Former Coca-Cola employee makes away with company data on a personal hard drive.

Backing up data is a standard security best practice. However, what happens when employees are copying or backing up your company information on their personal devices? Once this is done, the company has minimal visibility into the use and protection of that data, if any. This was the case when a Coca-Cola employee was separated from the company and left with personal data of 8,000 people on a personal drive. Data breach notices were issued to all of them as a result. This served as yet another reminder that companies need insight into what’s being exported and better control over data leaving their networks.

Conclusion

We can learn many lessons from these events. The most important being that Insider Threats are a considerable risk to businesses and a credible threat that companies need to take seriously. Having a robust strategy to detect, prevent and respond to Insider incidents is essential. Check out our quick guide on ways to prevent, detect and respond to an insider threat.

Christine Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines. Reporting directly to the CISO, she plays a critical part in embedding security in United’s culture by training the global workforce on cybersecurity, managing the organization’s security strategy and developing the teams’ talent pipeline. Izuakor earned a Ph.D. in security engineering from University of Colorado, a master’s degree in information systems security from University of Houston, is a CISSP, and serves as a grad professor at Robert Morris University. In 2017, her rapid growth within the tech industry landed her a spot on Chicago Business Crain’s Tech 50 List. Izuakor is also Co-Founder and Vice President of Gen Trend, United’s next generation business resource group.

Interested in ramping up your MSP’s cybersecurity stack? Learn more about The 20 and our newly-launched ID 20/20 User Verification Tool.

by Patrick Sullivan, Contributor

By understanding what Workspace as a Service (WaaS) has to offer your End Customer, you can ensure that you’re reaching the customers who will benefit the most from the cloud. WaaS has so much to offer to so many. But, who is the ideal prospect?

So often we are asked, “What’s the best vertical for your solutions?” and, “What industries do you typically target?” or, “What type of companies can WaaS help?”

WaaS has practical applications across every vertical and just about every size business. This widespread versatility gives our partners the flexibility to develop their solution and messaging for the verticals they are already targeting, or to focus their marketing and sales as broadly as they want.

Using the Core-4 to Find the Ideal WaaS Customer.

When evaluating a prospective WaaS customer, look for the Core-4, which will help you zero in on the ideal cloud workspace customer. If the prospect answers “yes” to any of these four questions, then you have a winner:

1. Will you require a server refresh or other large IT project within the next 12 months?

Especially this year as Microsoft will sunset Windows 7 and Windows Server 2001/2008 R2 next January, so many companies are going to have to decide: expensive fork-lift upgrade, or easy and inexpensive transition into the cloud. End Customers hate IT projects, and with the cloud, you can eliminate the majority of them, saving them money and resources, and building your cloud business in the process.

2. Do you have employees who work remotely? Or does your business have multiple locations?

In today’s global business environment, companies are turning more and more to hiring remote staff, often outside their geographic footprint. Consider a company who hires Susan whose sole responsibility is to meet with customers; any time she spends in the office is just wasted time. Or, what about a business who needs Grant’s specific expertise, but he lives in Seattle, hundreds of miles away. In both cases, the staffers need the same accessibility as anyone working from the office. In both cases, the company’s IT needs to have control over their technology. Cloud Workspace simplifies both of these, making them an easy reality.

3. Do you have extensive security needs?

Think about a small bank, finance company or insurance agent. These are small companies, but they store and share sensitive client information. Security is paramount for them. At CloudJumper, we work incredibly hard to ensure our solutions are inherently secure. Additionally, we have a number of optional security add-ons that help your End Customers who need even more.

4. Is your company’s IT function larger than your IT team can support?

This can come out in a number of ways. Of course, if they have big security needs, but maybe, they also have numerous software apps to manage and maintain. They might have tight IT requirements for maintaining certifications or franchise agreements. Maybe they have a mix of OS and devices that all need to connect. The list here is endless, and no doubt your prospects will share items they simply would love to off-load to the cloud.

Always Has Been, and Still It Remains, it’s the Core-4

These are the four prospect characteristics that so easily translate into a sale, and they always have in the 20 years we have been providing a WaaS solution. You will find them in businesses across every industry, every vertical, every part of the world. Understand them, recognize them, and the sale is yours! It’s just a natural fit.

By understanding the ideal WaaS customer, you will more easily grow your business in the cloud, and boost your sales, profits and the stickiness of your customer base. Especially as you are just starting to build your cloud business, start with the Core-4. Soon, you’ll find yourself supporting your customers in ways no on-prem server farm can handle.

Patrick Sullivan is the Channel Sales Manager for CloudJumper who uses his cloud expertise and business acumen to guide MSPs as they create and grow their companies in the cloud. His support helps them build an IT cloud solution that saves their end customers money, time and hassle. Patrick has been with CloudJumper since June 2015 and has been very successful working helping his partners build their businesses in the cloud. Prior to joining CloudJumper, he honed his business development skills working in the equipment finance industry for more than 8 years. In 2005, Patrick graduated from New Hampshire University with Bachelor of Science in Business Administration.

So, who should be held responsible when a company’s data system gets breached? Historically, the CIO, the CISO, or both have shouldered the lion’s share of data breach responsibility; well over half of security decision-makers expect to lose their jobs if a hack happens at their organizations. However, breaches don’t happen in vacuums, and CIOs and CISOs don’t operate in them, either. Many CIOs report directly to the CEO, and some security experts feel that CISOs should be elevated to the same reporting level.

Whatever an organization’s reporting structure, the bottom line is the same: the responsibility for everything that happens within the organization, positive or negative, ultimately falls on the CEO and the board of directors. This includes data breach responsibility. This has been reflected in the numerous CEO firings (or resignations) that have followed bad breaches over the past few years, including those at Target, Sony Pictures, and the Democratic National Committee.

Apparently, Yahoo didn’t get the memo about this a couple of years ago. After years of poor cybersecurity practices caught up with them, resulting in multiple breaches affecting over a billion user accounts, putting its acquisition by Verizon into question, and making the Yahoo brand name synonymous with the phrase “data breach,” the company decided to fire its General Counsel, Ron Bell. Shockingly, CEO Marissa Mayer remained in place, albeit with a pay cut (she then went on to leave Yahoo after the Verizon acquisition, however, but it was of her own choosing).

In Yahoo’s case, the CISO and the rest of the security staff couldn’t be fired. Fearing that a major security incident would eventually happen, they’d already run for the hills. The New York Times reported that former CISO Alex Stamos and his team had spent years warning Mayer of potential security issues, but Mayer insisted on putting “the user experience” ahead of cybersecurity and even cut the team’s budget.

Preventing Breaches Is Everyone’s Responsibility

Cybersecurity isn’t just an IT issue. It impacts every individual and department in an organization — from the board of directors all the way down to minimum-wage clerical and retail employees. The overwhelming majority of data breaches originate inside an organization, either because a negligent or untrained employee makes a mistake or a malicious insider decides to strike back against the company. No cybersecurity policy is complete unless it addresses the human factor behind data breaches by promoting a culture of cybersecurity awareness. This culture must start at the top of the organization; if the board, the CEO, and the rest of the C-suite do not take security seriously, front-line employees certainly won’t.

Yahoo’s firing of Ron Bell certainly shook up the legal community and caused much debate over where data breach responsibility ultimately lies. While this may have served to light a fire under organizations with questionable cybersecurity practices, the focus should not have been on whose heads would roll if a breach happened; it should have been on implementing proactive cybersecurity and compliance measures to prevent hacks from happening in the first place.

As for Yahoo, they settled in September a worldwide class-action lawsuit that alleged security issues dating back as far as 2003. Yahoo’s attorney and lead plaintiffs’ counsel told the U.S. District Judge in federal court that both sides had reached an “agreement in principle” — $47 million to be exact.

Is Your Computer Secretly Mining Cryptocurrency?

Mining cryptocurrency used to require thousands of dollars worth of equipment to see any kind of meaningful return, but not anymore. Newer digital currencies like Monero, ByteCoin, and AEON have given would-be miners the ability to mine tokens right from their laptops. This might benefit small-time miners that want to get involved in the sector, but for every good thing online there are always people that figure out a way to use it for bad.

Hackers have begun using these tools to infect computers and websites to secretly mine cryptocurrencies. This emerging type of malware attack has been dubbed as “cryptojacking,” and it could cause your computer to overheat and crash. Luckily, spotting these hidden miners isn’t all that difficult.

Cryptojacking essentially hijacks your computer’s CPU power to mine. This means when you’re browsing the web, the malware is running in the background completely unbeknownst to you. There are a few types of this malware, and some run only when you visit a certain website and others can be maliciously installed on your computer. The best way to prevent this is by using antivirus software and adblockers.

If you’ve already been hit with this kind of malware, you’ll notice either your computer acting sluggish, getting warmer than usual, or its fan constantly spinning. If you aren’t running any kind of demanding software, like video games or video editing programs, this should be the first hint that your computer is working overtime.

If you’ve noticed your laptop acting up, it’s time to go check on what’s going on under the hood. Mac users can view a detailed breakdown of everything their computer is running by searching “Activity Monitor” and using the magnifying glass icon at the top-right of the screen. Windows users can simply hold down the Ctrl-Alt-Del keys to bring up “Task Manager.”

Both of these menus will display a graph of how much of your computer’s processing power is being used. Any massive spikes should be red flags. You’ll also see an ordered list of the programs using the most processing power at the moment. Before ending any of these programs be sure to research what they are, as you could be ending a crucial part of your operating system.

Both Tesla and the Los Angeles Times have had their sites infected by cryptojacking software. Companies with popular websites are the most at risk, as hackers can embed code onto their servers and use the CPU power of everyone who visits the site. But making it a habit to check on how your computer is running will ensure your device isn’t getting used to make someone else a crypto fortune.

If you’re concerned this is happening to you or your company, please contact us today.

We’ve all heard that in order to protect our information and online accounts we need to create complex passwords with uppercase and lowercase letters, numbers, and special characters, right? Following such advice, does, in theory, produce passwords that are difficult to be hacked. Reality, however, tells us that while complex passwords provide better security, they also create new kinds of risks.

First, due to the limitations of human memory, complex passwords are more likely to be written down than familiar, easily-remembered passwords. This means that utilizing complex passwords increases the risk of passwords being exposed through insecure storage. People who don’t write down their passwords risk forgetting a complex password and having to go through a frustrating process of resetting it.

Storing complex passwords in a smartphone app is not an ironclad solution either. Password storage apps place numerous pieces of sensitive information in one place, and as a result, must be properly secured. Properly protecting the app and the data that it stores can make looking up a password an infuriating process involving entering long, complex passwords and waiting for various decryption functions to run. Of course, if such an app — or the phone itself — were ever infected with malware, the impact could be devastating.

In addition to the risks created by memory limitations, there is a major concern about how strong the complex passwords truly are, and how well they stand up to hacking tools. Research shows that the actual security provided by complex passwords is often far less than one would expect based on the password’s theoretical strengths. One major issue with complex passwords was published last year by a research team from Carnegie Mellon University, which explained that predictable human tendencies often dramatically undermine the strength of complex passwords.

For example, on systems that require passwords to include both upper and lowercase characters as well as a number, a widely disproportionate number of passwords created will follow such pattern: an uppercase character followed by lowercase characters, and then ended with a single digit. Similarly, the researchers found that when people are required to create long passwords, they often repeat a short password twice. As a result of these human tendencies, password cracking is easier than ever.

So how should you best address these issues?

I wrote a blog on passwords a couple of months ago discussing this very topic after The National Institute of Standards and Technology (NIST) had issued new guidelines regarding secure passwords. The 3 guidelines were (and please refer to the previous password blog for more detail):

1. Remove periodic password change requirements.

2. Drop the algorithmic complexity song and dance.

3. Require screening of new passwords against lists of commonly used or compromised passwords.

Hopefully this helps! I know at the very least it should get you thinking about doing more to protect yourself in the password arena. I know it helped me and got me thinking smarter.

Please contact us for any questions you may have on password screening! We’re happy to help and point you toward software that can make this process simpler.