Batting Cleanup...before March Madness

My last Blog post was at the end of January. Now, in late February - as the baseball teams get into the swing of Spring Training (see what I did there?) - and after Shawn, Chris, and Richard posted excellent Blog articles in February, I’m in the #4 spot. I’m “batting cleanup.” Don’t worry, I think the Astros are in good shape with a talented set of choices; it’s merely a sports analogy from a geek. We’re not going to compete in Minute Maid Park, but we will be there to cheer on the team when they start home games in April.

But I digress…back to late February and my thoughts for this riveting post.

Hmmm…so many passwords, so many post-its!

Hmmm…so many passwords, so many post-its!

Adding a key point to Shawn’s insightful post about Passwords, and combining with Chris’ thoughts about small business security, PLEASE STORE YOUR PASSWORDS IN A SAFE PLACE!

In January we blew through the 1-year anniversary of Hawaii’s bizarre “2018 end of the world” panic, prompted at the time by an emergency management signal that warned (falsely, it turned out) of inbound ballistic missiles from North Korea. In Houston it went largely unnoticed for several reasons, primary of which is that it didn’t happen here. However, in preparing discussion topics for an upcoming talk, I dug into the details to refresh my memory. My research (searching “hacked credentials: password in photo led to Hawaii emergency alert, north korean missile inbound”) centered around a key point: a password critical to the process had been compromised.

My time in government service, predominantly in the Army but in a wide variety of joint-service and civilian-heavy organizations, spanned a 30-year career that began in 1984. Over that period I saw more than a few changes in IT and our use of computers, electronics, gadgets, and other tech toys. I also worked in restricted access areas requiring secret and top-secret clearances, most obviously denoted by wearing a “Blue Badge.” This backdrop prompts me to note several disturbing aspects of the Hawaii incident:

1) A password was written on a post-it note and stuck to the monitor of the alleged source of the incident.

2) The post-it note with password was photographed in July 2017 and published on social media.

3) The photo was published by a proud government civilian, who wanted to share his great work environment with friends and family.

Sadly, the 3d item should never have happened. TOTALLY INAPPROPRIATE, and obviously the #2 and #1 items ALSO would not have happened had #3 never occurred. So it begs some questions: Why was the photo taken? How did a restricted space with a “blue badge” employee even allow the photo to be taken? If the photo was sanctioned, why was the area not “sanitized,” i.e., why did he show his access badge and post-it note, along with a host of other items and physical cues to what goes on in the command center? It is THE STATE of HAWAII’s EMERGENCY MANAGEMENT Command and Control Center! Can you imagine walking into the Pentagon, the White House Situation room, or Jack Bauer’s CTU crisis center and just taking a happy-snap for your Instagram post? I cannot.

Circling back to both Shawn’s and Chris’ posts, here is my point: just like not leaving keys in the ignition to your car with the windows down and doors unlocked, it REALLY is NOT SMART to write your password and store it in an obvious place near your computer. At Envision, we have fantastic tools to help individuals, small businesses, non-profit organizations, government entities, and even large corporations manage their information. You can trust me - in my life I have served at various levels of each of these types of organizations.

Pointing out Richard’s #3 Blog post of February, we have developed great loyalty and trust with our existing clients. Our amazing clients have helped build Envision Design into Houston’s oldest member of the Apple Consultants Network. We specialize in securing and monitoring their computer systems 24x7. And we are doing it in diverse situations, including the very restrictive, high-penalty world of HIPAA compliance and regulation. I’d like to highlight a key point of Richard’s “How to become an "En-Visionary"...” rewards program: because our clients TRUST us with the life-blood of their businesses, and because we have to earn their LOYALTY and retain it monthly, we understand that every customer matters. Chris pointed it out with his question of “So why should small businesses partner with a MSP?” EVERY business should have protection in place. We all owe it to our own patients, clients, customers, and business/practice/firm team members. The price of failure could be…well, failure.

In looking ahead to March, the elite teams will emerge in the NCAA basketball tournament. Another sports reference from Tom: March Madness is on the way! Love it or hate it — or even for those just indifferent to it — March Madness frenzy is measurable, and HUGE. Reflecting on our Blog posts, we’d love to see a frenzy of referrals in March, fueled by true passion to help each other secure, safeguard, and monitor sensitive information. As much as it’s about “NCAA tournament brackets,” I’d love to see March Madness become a business referral principle, as well. Send me your thoughts!

How to become an "En-Visionary"...

refer a client to us … become an En-Visionary member

refer a client to us … become an En-Visionary member

Who do you know that needs Envision’s managed IT services?

As a faithful and valued Envision client, you are best qualified to understand what we do and recommend us to your business associates.

Envision has been managing the technology needs of Houston area businesses for more than 25 years. In that time, we are privileged to have grown based on referrals from our friends, business associates, and our loyal and satisfied clients

If you know of a company with 10 or more computers needing help with managing, monitoring, and securing their IT systems, ensuring they have data backups and a disaster recovery plan in place, or needing help with meeting HIPAA compliancy requirements, please let us know. 

We are thrilled and humbled to receive these referrals and want to show our appreciation to you via our En-Visionary Referral Rewards Program.

To join the rewards program, simply fill out the form here and if your referral signs up as a Partner Plan Client with Envision, you will receive a new Apple iPad as a thank you gift.*

Why should small businesses partner with a MSP?

cyber_security.jpg

Small businesses exist in many forms in the United States and can exist as a small corner store or a medical practice. The average consumer utilizes small businesses more than they think during an average week. Over the years I have heard small business owners describe their business as insignificant, small and not worth a cyber attacker’s time. But the truth is that small businesses are more vulnerable than ever, and cyber criminals know it. 

A managed service provider has the expertise needed to help guide small businesses at a fixed monthly cost. Managed service providers have the staff needed to be able to take care of anything from desktop repair all the way up to cyber security needs. Leveraging the services of a managed service provider (MSP) provides you access to a wider range of technical skills than you would not otherwise have with internal staff. What this means to the small business owner is that someone is taking care of the businesses most vulnerable information. Managed service providers are experts in security, backups, maintenance and disaster recovery.

So why should small businesses partner with a MSP?

When a small business makes their cyber-security needs as a priority, their continued success in the community is most affected. The reputation that they have built up over the years remains intact and shows continued respect for the ever-changing way in which consumers interact with their business. There are many resources available for small business owners who cannot afford to hire full-time staff with managed service providers and partnering with the right company that can provide support for the ever-changing technology needs from the business is critical to the continued success of the business. As much as 60 percent of hacked small and medium-sized businesses go out of business after six months. A data breach for a small business can be a fatal blow and turn a once successful venture into nothing but painful distant memories.

Passwords

shutterstock_414545476.jpg

Protecting your sensitive information from the wrong people is a major concern in the information age. That almost always, at some level, involves passwords.

You’ve seen those aggravating password policies that require certain characters, or length, or expiring every so often. Here, let’s reverse engineer what makes a good password, and determine how you can create consistently good passwords.

Ways to “hack” a password

To state the obvious, a password works if you know it. There may be additional authentication factors in a given system that verify one’s identity, but as we’re just looking at passwords, a system doesn’t care who enters the password: anyone who knows the password can authenticate with it. There are several ways the wrong people may come to know a password they shouldn’t.

Phishing

This often originates via a fraudulent email, with the end goal of having the user type their actual password somewhere that allows the attacker to see or copy the password and use it themselves. They are hoping the user is either not aware of such scams or not paying attention to the warning signs (email sender, browser domain name, typos...) In my own experience, this is the most common cause of “getting hacked.”

Guess

This would be the Sherlock Holmes style of password cracking. The person trying to access the information would, usually through social engineering, learn details about their target (pet’s name, anniversary date, etc.) and try those. They are hoping their target chose something short and easy to remember. Or wrote it on a sticky note underneath their keyboard.

Lists

These lists can come from the data breaches that make headlines, or from smaller ones you never hear about, but the result is the same: actual passwords are obtained and shared. Responsibly organizations will force a password reset and notify their users as soon as they become aware of a breach, but attackers hope the victims use that same password on multiple systems and try it elsewhere.

Brute-force

This one lets computers do all the work. A fairly simple script cycles through either a dictionary of common passwords or every possible combination of characters until it finds one that works. The hope here is that the password is short enough that a computer can crack it in a reasonable amount of time, and they’re getting faster every day.

Bad passwords

So to mitigate all those methods, we don’t want a password to be:

  • guessable

  • reused

  • short

But it does need to be easy to remember...

Practical passwords

Personally, I have passwords to ~300 websites. That doesn’t include all the passwords I use as an IT admin. Out of those, I could only tell you what two of them are: the one for my bank, and the one for my password manager.

Password manager

Password managers remember all your passwords for you, so you don’t have to write them down. Decent ones store your passwords in a cryptographically secure way that only you can access, essentially making them “breach proof.” Good ones will work on all your devices, and can also generate long, random passwords for you, so you have no reason to reuse a password you used elsewhere. Great ones will even track all those breaches for you, so you can change any compromised passwords as soon as possible.

At Envision Design, we use and recommend 1Password for personal and business use. You can read more about this popular and secure password manager and contact us for a quote for your team.

Passphrase

When you do need a password you can remember, like for your password manager: use a passphrase. Pick a favorite verse from a song, or quote, or line from a book... you already have a lot of phrases memorized, so use that! For example, the passphrase:

Welcome 2 the Jungle — we’ve got fun & games!

is long, I’m the only one who knows how I chose to spell, punctuate and capitalize it, and is super easy for me to remember. (I put passphrases after password managers because many sites don’t allow for lengthy passwords with all the symbols, so you’ll still need those randomly generated strings.)

Still have questions about how to protect your personal or business information online? We offer a full array of cyber security services and products, so reach out to us to set up a quick meeting or consultation!

New Years Resolutions - 1 month down, how are we doing?

January draws to a close this week, and we are super-excited about 2019, right? At least that’s what we said a month ago; so now it’s time for a progress report. Vector check. Monthly review. Self-assessment. Call it what you want, but reviewing status is a no-brainer, especially when it comes to business goals.

Over the past month I have had many conversations with clients and interested parties regarding Envision Design’s security, data protection, backup, and recovery processes. Surprisingly, some business owners still seem to treat these aspects of protecting their businesses with a casual, “Hey, it’s good enough. I’m pretty sure there’s nothing that can go wrong, and I am fairly certain I can recover what’s needed so I can stay up and running.”

Well, maybe that’s a bit overstated - they haven’t really been THAT casual. But some responses have indicated a bigger lack of awareness. Some even seem to be the proverbial ostrich with its head in the sand. So what happened? Think of the New Years Resolution of “I am going to be serious in 2019, look into vulnerabilities and weaknesses my business has, and mitigate or even eliminate the chance of going bankrupt this year.”

Tom Sands, here - your friendly Client Relations Manager at Envision Design. Maybe it’s just the career Army guy in me, but protection is ALWAYS critical. From an outpost of 1 Soldier doing daytime duty at the front gate of “Camp Swampy,” USA, to a Corps of over 60,000 people deployed for months (or years) of combat operations - and all points in between - it always starts with security. We protect ourselves first, make sure we can communicate second, and then take care of myriad priorities of work from there.

I have found the business world to be no different. If money or information is exchanging hands, external forces seem to be ready to pounce. They want to catch a free ride; and they are looking for an easy chance to intercept some, all, or even MORE than just the transactional amount. Treasure troves have been released by simple, small vulnerabilities. Look at the Target breach of millions of customers’ data - it occurred largely because the Heating Ventilation Air Conditioning (HVAC) log-in was simple, AND it was on the same network as the financial data. I’ll bet the Target leadership did NOT have the New Years Resolution to ensure they had heightened security in 2013. That said, after the November incident, we can all be assured that their 2014 resolution included a healthy dose of security upgrades.

Heading into February, our Envision Design newsletter will hit the streets in a week. Along with it is the monthly free report, “The 7 Most Critical IT Security Protections Every Business Must Have In Place NOW To Protect Themselves From Cybercrime, Data Breaches And Hacker Attacks.” Truth be told, none of our clients are the size of Target; but we treat each one with the same level (or an even HIGHER level) of respect in terms of securing, monitoring, protecting, backing up, taking actions against threats, and preparing to recover their data. At the beginning of the 2d month of 2019 would be a perfect time to review the 7 Protections checklist. Reflect. Assess. Take action.

Our clients went into business to help people, to follow their passions, and to make money in the process. We aim to have them ALL on board when we roll into 2020, so we work hard during the day to stay ahead of threats - learning, studying, training, monitoring, watching for anomalies or intrusion - and we sleep well at night, assured that the systems are in place to make all of that happen 24-7. It’s like being in the Army, again - we are on duty all the time.

Contact us any time - email help@envisiondesign.net or or call 832-442-8588.

Ever Vigilant -  as a modification of the National Security Agency’s motto,  Envision Design is “Defending Our  Clients , Securing The Future.”   See where your business stands.  Fill out a basic 20-question checklist;   take our survey, and let us help you    bring your vision for your business    into focus.   Click the image above to visit our internal page. We will contact you to review your results.

Ever Vigilant - as a modification of the National Security Agency’s motto, Envision Design is “Defending Our Clients, Securing The Future.”

See where your business stands. Fill out a basic 20-question checklist; take our survey, and let us help you bring your vision for your business into focus.

Click the image above to visit our internal page. We will contact you to review your results.