Rogue IT: Your data might be leaking

rogue it

Resource Credit | AccountingWEB

In his first column for AccountingWEB, cybersecurity expert Adam Harling looks at ‘Rogue IT’, and how your business could be at risk without you even realizing it.

Simply put “Rogue IT” is the use of unauthorized technology in an organization. In days gone by this was usually quite simple and often innocuous.

For example, your creatives storing images and assets on a portable hard disk they privately purchased, a team sharing files on local PCs to bypass all the security requirements imposed by IT to create a share on a server, or in extreme cases perhaps a network-attached storage device connected and storing the files for a department with a tech-savvy team member.

While these actions were not ideal and often had all sorts of backup and security implications, they were at least physical, easy to detect and behind the perimeter firewall. Enter the tech-savvy workforce and the death of physical media.

With a large scale adoption of cloud file sharing, and just about everyone in the workspace now not only comfortable with adopting new technology, but also often keen to work quickly and fully aware that they can achieve the result they need by simply bypassing IT approval, we have a real problem.

Once your IT team loses control of the location of data, they lose the ability to secure it, the ability to back it up and monitor it.

The most common way we see data leaking is via unsanctioned and unmonitored cloud file-sharing platforms. It’s not the choice od the platform that’s the issue, it’s that if it is used to store data, it needs to be managed.

A worked example might start out innocently enough. Our keen team member needs to work on the Q3 forecast from home, the files get transferred to a personal cloud storage account, so the file can be opened from the home PC – and there we have it, in that simple innocent action your data is in the wind and at risk.

Possible Outcomes

  • Should that account be breached, your IT team have no control over the passwords or security policies in place on this account
  • Should that employee leave the organization, your IT team have no way of removing access to that data
  • Should the file contain critical data and be lost or corrupted, you likely have no route to a backup
  • The file could be shared with anyone and everyone, inside or outside your organization, even your competition. Your IT team will have zero visibility

What can we do about this issue? Thankfully there are some technologies available that can help, often called “DLP” or Data Loss Prevention.

This technology allows alerts or restrictions on the movement of the data. It can detect sensitive information and prevent it leaving from leaving a network or storage platform.

DLP technology can be found in many modern “UTM” firewalls such as the WatchGuard M series, configured correctly they can be a great aid in keeping your data inside the network.

Microsoft also offers DLP features as part of the Microsoft 365 platform, this can be an involved project to implement but offers probably the most complete technology solution.

As always we need to look at people and process. Make sanctioned tools available to your team. If remote working is required, have a policy and toolset in place before your users “go rogue” and circumvent your IT.

Make it easy for your users to request tools from your IT team, try and remove barriers for adopting new technologies, and should a tool not be sanctioned, ensure your users know why.

Have a robust personal device policy in place, and if you choose to adopt “BYOD” (Bring Your Own Device), ensure you take advantage of MAM (Mobile Application Management) that allows sandboxed access to company data on personally owned devices.

So have you got a rogue? Is your data out of your network and out of control? Contact us to discuss Microsoft 365 solutions to make sure your company data is stored correctly and securely. Contact us on  info@allonline365.com or  +27 (21) 205 3650.

www.allonline365.com

OneDrive Personal Vault brings added security & storage options

onedrive

OneDrive Personal Vault brings added security to your most important files and OneDrive gets additional storage options

With the growing presence and sophistication of online threats, it’s increasingly important to have the right protection and tools to help safeguard your devices, personal information, and files from being compromised. Today, we’re excited to announce OneDrive Personal Vault – a new layer of security coming to your OneDrive personal account to further protect your most sensitive and important files.

We’re also increasing the OneDrive standalone storage plan from 50 GB to 100 GB at no additional charge, and we’re giving Office 365 subscribers a new option to add more storage as they need it.

OneDrive Personal Vault

OneDrive runs on the trusted Microsoft cloud, which has many security measures in place to keep your files safe. But we understand that some people want more protection for their most important and sensitive files, which is why we’re introducing Personal Vault.

Personal Vault is a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS. Your locked files in Personal Vault have an extra layer of security keeping them more secure in the event that someone gains access to your account or your device.

Plus, this added security doesn’t mean added inconvenience. All your documents, photos, and videos in Personal Vault are easy to access on Onedrive.com, your PC, or capable devices.

onedrive

Personal Vault adds to the robust privacy and security that OneDrive currently offers, including file encryption at rest and in transit, suspicious activity monitoring, ransomware detection and recovery, mass file deletion notification recovery, virus scanning on download for known threats, and version history for all file types.

Easy to use

Just enter a PIN, or use your fingerprint, face, or code delivered by email or SMS to unlock and access your files – no need to remember multiple passwords. Additionally, Personal Vault can be unlocked with the Microsoft Authenticator app. Whichever way you choose, unlocking is quick, convenient, and helps secure your data.

Scan and shoot directly into Personal Vault

You can use the OneDrive mobile app to scan documents, take pictures, or shoot video directly into your Personal Vault, keeping them off less secure areas of your device – such as your camera roll. It’s easy to scan important travel, identification, insurance documents, and more directly into your Personal Vault. And you’ll have access to these documents wherever you go, across your capable devices.

onedrive

Extra protection on and off your PC

Personal Vault uses more than just two-step verification to help keep your files safe and private. On Windows 10 PCs, OneDrive syncs your Personal Vault files to a BitLocker-encrypted are of your local hard drive. And like all files in OneDrive, the contents of your Personal Vault are encrypted at-rest in the Microsoft cloud and in-transit to your device. For further protection on mobile devices, we recommend that you enable encryption on your iOS or Android device. Together. these measures help keep your files protected even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it.

Automatically locking after a short period of inactivity

Personal Vault automatically relocks your PC, device, or online after a short period of inactivity. Once locked, any files you were using will also lock and require reauthentication to access. There’s no need to worry about whether you left your Personal Vault of your file open – both will close and lock automatically after inactivity.

Available soon

We’re excited to announce these new capabilities to people who use OneDrive on the web, with our mobile app, or on a Windows 10 PC. Personal Vault will begin rolling out soon in Australia, New Zealand, and Canada and will be available to everyone by the end of the year.

If you already have OneDrive, Personal Vault will appear as a feature update when it launches later this year in your region. And if you aren’t yet a OneDrive customer, you can download the app or go to www.onedrive.com to start using it on your PC or on the web. If you are using OneDrive’s free or standalone 100 GB plan, you can try Personal Vault with a limited number of files. Office 365 subscribers can store as many files as they want in Personal Vault, up to their storage limit.

OneDrive gets additional storage

Today, we’re also excited to share two storage plan updates.

Store more with OneDrive 100 GB plan – We’re increasing the amount of storage in the OneDrive standalone plan from 50 GB to 100 GB for the same $1.99 per month. That’s enough space to store over 50,000 pictures (at 2 MB per photo). This new plan is perfect for automatically backing up your phone’s camera roll and scanning and saving documents, receipts, and more right from your phone. You can also use it to back up your files and share and collaborate documents. This new pan will roll out soon. If you’re currently using our 50 GB plan, you’ll automatically get 50 GB more storage added to your account at no additional cost. For more information, see OneDrive plans.

Get additional OneDrive storage if you need it – Your Office 365 subscription starts with 1 TB of OneDrive storage, and many people have asked for even more storage. Today, we’re announcing OneDrive additional storage, which lets you add more storage – as you need it – to your existing Office 365 subscription. You can add storage in 200 GB increments starting at $1.99 per month, going up to 1 TB of additional storage for $9.99 per month.

If you need 2 TB of storage, we now have an option for you. Pay only for what you need and increase, decrease, or cancel your additional storage plan anytime. OneDrive additional storage will be available in the coming months wherever Office 365 is available.

www.allonline365.com

Resource Credit | Microsoft 365

How to reduce user account lockouts and password resets

password reset

Introduction

It happens every day. Every IT professional has experienced it. You’re working on a detailed project-something urgent that requires massive amounts of concentration-or you are otherwise trying to keep the company ship afloat, and then the request comes in. “My account is locked. Can someone unblock it and reset my password?”

The dreaded account lockout/password reset request. You sigh, stop what you’re doing, then take care of the issue, hoping it’s as simple as communicating the new password to the user and that you won’t get dragged into a headache of subsequent account lockouts, problems picking a new password (“It keeps saying my password isn’t sufficiently complex!”), the new password not being accepted on the system, or some other woeful entanglement that can derail your other efforts.

Let’s be clear: IT is there to support the business. A locked or inaccessible account represents a work-stoppage issue. Employees aren’t there to be paid for doing nothing. Passwords are a necessary way of life, and account lockouts occur for security reasons to reduce threats to company data.

On a one-off basis, sorting these problems out isn’t such a big deal, but some days it might seem as if all you’re doing is password resets-and that negatively impacts your workload (not to mention morale).

Biometric solutions are capable of replacing passwords with fingerprint or retinal scanners for hands-on devices, but this pace is not progressing fast enough to satisfy the time management needs of many IT pros. There are better ways to support the organization by advocating technological and strategic approaches. Here are 10 tips to improve account administration among both administrators and end-users to reduce lockouts and resets.

Tips for administrators

Review your account policies

Your account policies might need tweaking to reduce the incidence of lockouts or password resets. Are your password requirements too stringent? Is password aging (making users wait for a certain time period before they can change their password) set too high? Are password changes being forced too frequently, or not frequently enough? Is it possible to configure accounts to automatically unlock after a certain period of time? As always you should check with your security department before making any changes.

Document the password details

Make sure you clearly document and provide all users your company’s password requirements, rotation schedule, on which system specific accounts and passwords apply, password environment, and any other elements they need to know to maximize their ability to manage their accounts. This should be made available to new hires as well as current employees. Also, be sure to document how much time you or your group spend performing account or password resets.

Use a self-service product

If your security team approves, it’s possible to let users unlock their own accounts and/or reset their own passwords. Manage Engine’s ADSelfService Plus, Jiji Self Service Password Reset ad Specops Password Reset are three examples of commercial products that can handle account unlocking and password resets.

Products of this nature can rely on security questions, the capability to email or text new passwords to end users, and multi-factor authentication, so users must verify their identities before proceeding. Such products are generally easy to set up and administer, making them an ideal investment of time and capital considering the labor savings (and stress reduction) they can provide.

Reduce environmental complexity

Users, as well as IT staff, may have to put up with some real headaches if you have a complex environment. Multiple password “islands”, where some systems utilize standalone authentication, synchronize credentials among a select few other systems, or rely on a centralized server for access can make it difficult to keep track of which ID goes with which password and on what system or service. Thus we rampant in big companies, which often have a slew of in-house and cloud-based systems.

It’s possible to employ a single sign-on solution whereby servers rely on Lightweight Directory Access Protocol to authenticate users against Active Directory domain controllers. There are also third-party products that can perform similar functions, such as Okta Single Sign-On, OneLogin Secure Single Sign-On Solution and Centrify Identity Service.

If you have Linux servers in place, a poor administrator’s solution can be to write a simple cron job rsync the / etc/shadow, etc/passwd, and/ etc/group files from a single source server to the other target servers. Users could then administer their passwords on the source server and these would replicate to all the other systems-say, every five minutes.

Delegate to another group

The simplest solution of all to account/password resets? Don’t do them. Hand them off to someone else. Establish a Tier 1 help desk or another outside party or group and let them own it. Of course, to ensure that this transition is successful, you’ll have to be hard-hearted and resist the temptation to unlock someone’s account “just this once”.

Tips for end-users

I’ll be blunt here and speak from experience: password management isn’t a new concept, so users have to step up and take responsibility for owning their passwords. IT staff routinely has too many fires to fight and goodwill tends to evaporate when you lock your account out with every password change. These tips for end-users should help improve the situation.

Use a password manager

The simplest and easiest way to keep track of your passwords is to use a password manager like KeePass or Password Safe. I’ve used both and they work well for both business and personal account management. Each product is free and uses an encrypted database with a master password (which you should obviously memorize and not write down). You can save passwords and copy/paste them as needed, making it unnecessary to type or even know the password.

Use better password techniques

A few simple tricks can help you pick more effective and useful passwords. A pilot friend uses n eight-character password that always has the same last five characters. He changes the first three characters to an airport code (BOS for Boston, SFO for San Francisco, etc), and just pictures the city representing the airport code when he needs to remember his password.

Mnemonic tricks like this can be useful. Consider using “password phrases” rather than regular passwords. For instance, Orange c0w 3lender (whereby the “o” is replaced by the number “0” and the letter “b” is replaced by the number “3”) is simple to remember and will fit most password requirements. It’s quite easy in Summertime to envision an orange cow handing out a blender of icy beverages. You might also think of a specific phrase-“We love Boston in the Spring 2017”-then pick the first letter of each word to formulate a password like Wlbits2017. This works especially well for the prior tip.

You should also pick passwords with the right “keyboard flow” whereby you type the character in a comfortable pattern-left to right across the keyboard for instance. There’s nothing more awkward than having to peck at keys from all sections of the keyboard and this can result in account lockouts just due to simple typos.

Maintaining good security practices

It may sound like security has no bearing upon managing or remembering your password, but there are subtleties between the two concepts.

If you can avoid it, don’t save passwords such as in a web browser, the old password might end up locking your account if it has changed. (Obviously, this tip could end up producing tedium, such as having to type your email password on your phone every time you want to check your inbox).

Speaking of your email account, guard the password well since your email account likely holds the proverbial “keys to the kingdom” for other accounts because automated password reset notifications will likely go here. If someone compromises your email account they could then use it to reset your password(s) elsewhere and wreak major havoc.

Make sure you’re aware of where you are logged in and on which device and change your password across the board when the time comes. Keep a list if you have to.

Use the same passwords where feasible

This one might be controversial, so let me explain. Of course, using the same password for your email, phone, computer, bank account, credit card accounts, etc. is a very bad idea.

However, if you have access to several tests or other low-level systems that pose no security risk if compromised, using MyPass2017 for your password on all of them is a no-brainer. Update this password across all applicable locations when it changes to ensure consistency.

Be proactive

I manage some systems that don’t notify users in advance that their password will change soon. Therefore, they only find out their password expired when they attempt to log in and this leads to poor password choices or problems authenticating with the new password.

I often recommend users set reminders to change their passwords before they actually expire. This is as simple as creating a recurring Outlook task or appointment.

Also, keep track of when your password will expire even if you do get an advanced notification (such as in Active Directory environments). If you know you’ll be out on that day your password expires be sure to change it before you leave the office.

www.allonline365.com

Resource Credit | TechRepublic

Allonline365 Newsletter

* indicates required
Business Software News
Call Now Button