To Cloud or Not to Cloud

By David Hald, Chief Relations OfficerThe cloud takes a hit

Recently, the cloud world experienced a huge punch to the gut. Microsoft Azure went down for some hours in different services, affecting millions of users in many different regions around the world. Once again, it raises the question of whether “cloud” is the right way to go or not. Perhaps the concern is that you can become “too cloudy.” I don´t believe anyone has the ultimate, definitive answer to that question – yet.

The obvious benefits of centralizing and sharing resources seem appealing, as we have seen with services like water and electricity. However, is it accurate to make a direct comparison between public utilities and private, proprietary data? In addition, are you, for example, more secure if you sit behind a large hosted firewall, than if you simply have your own smaller firewall at your local office? One thing we know from experience is that, if a centralized system takes a blow, all its customers feel it. We also know that you might be compromised, not because the attackers are after you in particular, but because they are after your neighbor in the cloud and, by compromising the big “system,” they get many more fish in their net – and that could include you.

Since nobody yet has the definitive answer about the current or long-term safety of the cloud, we at SMS PASSCODE have created a technology that works irrespective of how many cloud services you use. Cloud or no cloud, SMS PASSCODE’s technology can do it all. We run on-premise, and through our hundreds of valued partners around the world, we are delivered “as-a-service” in the cloud as well.

To learn more about how we can keep you secure please visit our  What We Protect page.

In The World of Mobile Security, Context is King

By David Hald, Chief Relations Officer

The workforce is becoming increasingly mobile, offering greater convenience and productivity for employees on the go. However, this shift has created significant security concerns as well. Providing remote access to business applications and data can become a real IT headache as people move from one location to the next and log in from a variety of mobile devices.

This week Citrix announced that “Contextual Security is Key to Enabling Business Mobility,” which has been a key element in SMS PASSCODE’s strategy for years. In fact, SMS PASSCODE was recently awarded a patent, which we filed in 2008, for a “system detecting and protecting against identity theft by abusing a computer user’s ID and password…via a second authentication level using…a one-time-passcode and user contextual location information.”

Unfortunately, the world that Citrix describes where “…security is not keeping pace with today’s threat landscape” is all too real. A recent report published by Recorded Future revealed a shocking fact that 221 of the U.S. Fortune 500 companies have exposed user credentials on the web. The growing amount of network breaches show all too clearly that the bad guys are getting increasingly more sophisticated and, therefore, the good guys (like us) are adapting to deliver more intelligent security in response.

Today, SMS PASSCODE can make advanced adaptive and contextual authentication for most vendors’ solutions. Citrix in particular has supported this strategy by adding features to its Netscaler products that enable SMS PASSCODE to identify the user’s location and thereby determine whether this user has the right to log on via Netscaler or not from this particular location. Furthermore, SMS PASSCODE has methods to identify from where the attackers are trying to compromise your security. Moreover, once identified, SMS PASSCODE can be used to blacklist that particular location. We are noticing a trend in the authentication space toward whitelisting users rather than blacklisting them. This essentially means that instead of letting anyone log on to any system from anywhere, one begins to map out who needs access to which systems from where, and then essentially lock down any other access than the one identified as needed.

In this age of weekly headlines detailing yet another security breach, securing the mobile workforce is an absolute business necessity. But it doesn’t have to be a huge IT headache.

Read on to learn more about SMS PASSCODE’s unique adaptive multi-factor authentication.

Bringing Multi-factor Authentication to Enterprise File Transfer

By Torben Andersen, Chief Commercial Officer

Last week we shared exciting news that SMS PASSCODE has formed a strategic technology alliance with Globalscape. Globalscape designs and delivers both SMB and enterprise file transfer software and services that are trusted by the U.S. Army, Fortune 100 companies, and businesses around the world. and I wanted to further highlight what this partnership means to enterprises using file transfer services today.

In recent years multi-factor authentication has changed from being a ‘nice to have’ to a ‘need to have’. We encounter it in our personal lives when i.e. paying our bills online, and accessing our social media accounts, and now it is also quickly becoming a best practice for enterprises of all sizes looking to secure access to corporate networks and cloud applications. But what about situations where employees are using various forms of file transfer solutions and FTPs to transmit data to external parties? Here it is equally important to authenticate users before granting access to these data storage facilities.

As a result of this partnership our multi-factor authentication platform now integrates seamlessly with Globalscape’s secure managed file transfer solution EFT™ (Enhanced File Transfer™). With this integration system administrators have the ability to connect EFT to SMS PASSCODE via a local or LDAP-authenticated site, to deliver a one-time-passcode via text message (SMS), a voice call, through email, or via an app to the user’s mobile phone as part of the login process for HTTP, HTTPS or SFTP transfers.

Customers benefit from enhanced security as they can easily deploy multi-factor authentication to their secure file transfer via EFT, and without compromising convenience for the users as they will benefit from the superior user experience the SMS PASSCODE platform provides.

Here is a short video that shows the login experience to Globalscape with multi-factor authentication protection.

Busting The Top Four Myths About Hacking

By Torben Andersen, CCO, SMS PASSCODE

Knowing what’s myth and what’s fact is essential to avoid running unnecessary risks to your business. Myths can lead to false assumptions and thinking that your business is not at risk of being breached by hackers. So let’s take a closer look at some of the most common myths out there.


1# Myth – Hackers only target the big brandsMyth one - hackers only target the big brands

When big brands like Target, eBay, Adobe, and Sony are hacked, it’s big news for business and mainstream publications. Don’t be fooled: big companies aren’t the only ones being targeted. In fact, research shows that 31 percent of all hacking attacks were aimed at businesses with fewer than 250 employees.


2# Myth – You have nothing valuable for hackers to steal

Fair enough. Not everyone is fortunate enough to be storing breakthrough research with the potential to revolutionize your industrythe world if only you can keep it secret long enough to secure a patent. But what about your business email? Email often contains highly sensitive data, such as competitive bids, investment plans or pipeline information. Imagine the damage if these details were to fall into the wrong hands.

Myth two - you have nothing valuable to stealThere’s even more low-hanging fruit to steal if hackers breach your network. Customer records, credit card information and even employee user credentials are worth as much as $50 USD per record when sold on the Internet. An entire shadow economy has emerged online with brokers selling stolen user records; according to the FBI, cybercrime has become even more profitable than drug-related crimes. This makes everyone a target.

3# Myth – Your anti-virus and network vulnerability tests will keep you safe

Patch management, updated anti-virus applications and frequent network vulnerability tests are all good weapons in a defense against hackers. However if you are not securely authenticating your users when they access your corporate networks or applications, then you’re leaving the front door open for the hackers. Research shows that weak or stolen passwords are exploited in 76 percent of all network breaches. So, yes, this really is the hackers’ preferred way in.

4# Myth – Hackers are teenagers lurking in a basement somewhere

For most of us, the word “hacker” prompts images of pale teenage boys with long hair, black t-shirts and a serious grudge against Microsoft. While many hackers probably still fit this description, the reality is that the hacker has evolved. Today’s hacker is highly-educated, well-connected, and well-equipped, enjoying a high-income profession as a professional cybercriminal. The hackers have some powerful tools at their disposal (see examples in this blog post), and many poorly-protected victims has made hacking easier than ever before, resulting in cybercrime becoming the fastest growing crime type in the world.front door wide open

Hackers’ motive is most often financial gain, but “hacktivism” is also becoming a growing threat to nations and organizations that don’t sympathize with the hacker’s cause.

We have created an infographic and short video that capture the key facts from the latest research about the threat companies face from hacks. Take a look here.

Have any hacking myths of your own to share? Post them in the comment field.

 

Sources: Data Breach Quick View 2013,  Verizon Databreach Investigations report 2013, FBI, Internet Security Threat Report 2014

 

Don’t Let Hackers Crash Your Party

By Claus Rosendal, CTO

We can all agree that there are serious IT threats out there today that all companies need to protect themselves against. Working with IT security every day I have seen a lot of what today’s hacking community has to offer, yet I’m still amazed by the strength and sophistication of the hacking tools used to steal identities and breach corporate networks. Some good examples of these tools were on display when I attended Microsoft’s TechEd together with the rest of the development team. Here is a recording from one of the sessions that I thought would be interesting to share in this blog. Amongst other ‘features’ it shows how to easily intercept user credentials and passwords via man-in-the-middle attacks as well as how to steal security certificates from users machines.

Although the powerful tools at hackers’ disposal are scary to think about, there are still companies out there that haven’t yet deployed strong multi-factor authentication to keep their data safe.

Having the latest antivirus software and running network vulnerability tests are both essential places to start, but if you are not authenticating your users, then you are leaving your front door wide open to hackers. front door wide open

The fact that weak or stolen user credentials are exploited in 76 percent of all network breaches (according to Verizon Data Breach Investigations report 2013) shows that obtaining user credentials is the most effective method for hackers to gain access to a company’s data.

Regardless of whether these usernames and passwords are cracked, phished, or purchased online, it is simply the easiest way for hackers to slip past the gates.

While multi-factor authentication can’t protect you from all cyber threats, modern multi-factor authentication technology WILL ensure that only your invited guests can join the party.

Surf’s up – Are You Ready For the Tidal Wave of Forgotten Passwords?

By Torben Andersen, Chief Commercial Officer, SMS PASSCODE

Tidal wave of forgotten passwords

It is summer, surf is up and most of us already have or are planning to take some time off to relax and reload our batteries.

Now I don’t want to spoil your vacation or cause unnecessary stress, but have you thought about what happens when your employees return from summer vacation and cannot remember their passwords?

Statistics suggest that as much as 20-50% of all help desk calls are related to password problems, and the scenario with forgotten passwords after a vacation is classic and a real pain to many IT departments year after year. When I attended Infosecurity Europe in London back in May I had the pleasure of speaking with many IT professionals visiting our booth. During these conversations, it quickly became clear to me that passwords are a real curse for IT managers. Main concern of course is the fact that passwords today offer no real protection as a means of authentication, but the security aspect aside, forgotten passwords typically requires the IT department’s involvement to get the users back online, and the IT managers I spoke with dreaded the spikes in help desk calls they receive around the holiday periods.

However, it doesn’t have to be that way. SMS PASSCODE’s Password Reset Module takes this pain away by enabling users to easily reset their own Active Directory passwords in a secure way.


How does it work?

So how does our Password Reset Module work? Well to illustrate a situation where a user forgets his/her password and is locked out, we made this short video. Take a look.

 

As you can see from the video the process of resetting the password is easy, intuitive, and the user is quickly back online. However the latest release of Password Reset Module also features the possibility of alerting users when their password is about to expire.

By coincidence my own password was up for renewal yesterday, so thought I would write this blog to share the experience from a user point of view and to highlight how the notification process around password renewals actively helps avoid user lockout situations in the first place.

First I received a text message saying “Your password will expire in 3 days. You can set a new password here” and then had a link to the self-service site. Not only was this message timely (informed me BEFORE my passwordSMS expired), but it also allowed me to take action and reset the password by clicking the URL.

I clicked the link in the message and was forwarded to the SMS PASSCODE Self-Service website, where I was guided through the process step-by-step. I completed the process directly from my iPhone. No need to open up a browser on my laptop or to pinch to zoom in on the screen of my mobile phone.

SMS PASSCODE Password Reset Module

In terms of security the Password Reset Module can be configured to look at my location and then determine the level of authentication needed before I can reset my password. In my particular case the solution identified that I was in a trusted location (inside the office building) and I was prompted to enter a One-Time-Passcode (OTP) that was sent to my mobile phone.

This was a an interesting step as the flash SMS with the OTP popped up on top of the self-service site requiring me to remember the code after hitting OK on my screen. Luckily SMS PASSCODE’s memoPasscodesTM feature means all our codes are easy to remember, and I had no problems during this step. memoPasscode

The entire process of setting a new password took me less than 3 minutes.

I hope this post describes just how convenient a password reset process can be, and how it can empower your users to get back online without having to contact the IT department.

It is easy to use and requires no software to be deployed on the users’ phones. More importantly, it can help you avoid that nasty tidal wave of inbound phone calls and emails from frustrated users who have forgotten their password after their summer vacation.

Have a good summer everyone.

It’s a Bird…It’s a Plane…It’s SMS PASSCODE Version 7.2

By Claus E. Kotasek, CEO, SMS PASSCODE

It's a Bird...It's a Plane...

Today is a big day for the team here at SMS PASSCODE as we release SMS PASSCODE 7.2.

As most of you will recall we released version 7.0 earlier this year, which introduced a number of unique features to the market. Features such as Secure Device Provisioning (included as standard in the SMS PASSCODE MFA license) that enables secure and convenient self-enrollment of ActiveSync devices into an organization without the need to contact IT. This greatly reduces the complexity IT administrators face around Bring Your Own Device, and the demand for this particular feature is growing rapidly as more and more users utilize the flexibility of using their own devices in the company IT environment offers. Another innovation we introduced was Contextual Message Dispatching (also referred to as Location Aware Dispatching) where the One-Time-Passcode (OTP) delivery method is determined by the location of where the user are, or any preferences the individual user may have. As an example, you can configure the system to prefer SMS over voice call dispatching during logins from Europe, while preferring voice call over SMS dispatching during logins from North and South America. Or you can send one-time-passcodes to your mobile phone by default, but perform a voice call to a fixed-line phone number when you are logging in from a branch office. The choice is yours as you have full flexibility to configure SMS PASSCODE to your particular requirements. Also after we added OATH token support, customers now benefit from an even broader range of OTP delivery methods. This was indeed an exciting milestone for us, and now it is with great pleasure that we make version 7.2 available for download.
Particularly our Password Reset Module has been enhanced with a number of rich features in version 7.2 making this product a truly unique and powerful solution for convenient and secure password reset.

The main issue with the various password reset solutions available on the market today is that they simply fail in the ‘real world’ as they are not convenient in the moment of truth when the user is locked out and needs to reset their password. With version 7.2 our Password Reset Module is simply deployed on your server without the need to deploy software on the user’s devices. In fact the user doesn’t even need to know about the solution, since SMS PASSCODE conveniently guides the user through the process of resetting the password when the problem arises. A message will be sent to the user’s mobile phone via SMS/text or email once the password is about to expire (e.g. 3 days before). Via a link in the message the user can take action and visit the password reset website directly from their mobile, tablet or PC, where he or she is then guided through the process of resetting the password.

Sounds good right? But wait there is more! The solution can be configured to adapt the level of authentication required to reset the password based on the location of the user. For example if the user is located in a trusted location such as inside the head office, then the old password is enough to successfully reset the password. Whereas if the user is trying to reset the password from a non-trusted location then a personal passcode and OTP would be required.

To learn more about this and other features included in version 7.2 please register for our Version 7.2 Highlights webinar on 26 June or contact us directly

 



Follow

Get every new post delivered to your Inbox.

Join 78 other followers