Tech Applied - March Newsletter is available for download

March 2019 Tech Applied Newsletter

March 2019 Tech Applied Newsletter

The March newsletter has everything from a book recommendation for Powerful by Patty McCord (Netflix Chief Talent Officer), to business lessons from Petra’s lead business coach Andy Bailey, to a quick lesson about three insidious ways cybercriminals will exploit human error of employees to hack your network.

Click on the image to download your free copy. You can also contact us via our website and let us know if you would like to have a printed copy sent to you each month.

If you have questions about any of the IT issues discussed in the newsletter, or ANY IT issues for your business, please don’t hesitate to call or email us.

Envision Design is the only certified member of the Apple Consultants Network that has been helping Houston businesses manage, monitor, and secure their technology systems for over 25 years. Whether you

…need to comply with industry mandated security requirements like HIPAA

… you want to implement a backup and disaster recovery plan

… or you simply want to improve the productivity and profitability of your team,

Envision will manage all your IT needs so you can get on with the great work YOU want to do. With no long term contracts, we retain clients by providing outstanding customer service. Fluent in both Apple and Microsoft solutions, we ensure your critical data has been backed up and is protected with a disaster recovery plan in hurricane prone Houston.

Call us today today at 832.422.8588 or toll free at 1.866.966.9406 to schedule a free consultation meeting.

Apple announces updated iPads...

the new iPad Air

the new iPad Air

Apple announced two new/updated iPads today. A new 10.5” iPad Air and an updated iPad mini. Both of which will support the 1st generation Apple Pencil and the A12 Bionic chipset.

The existing 10.5” iPad Pro has been discontinued leaving the 11” and 12.9” iPad Pros in the lineup both of which support the 2nd generation Apple Pencil.

The existing 9.7” iPad remains unchanged.

You can check out the full lineup and compare models on Apple’s web site.

the new iPad mini

the new iPad mini


Meet & Geek meetup revived for March 2019!

We just wanted to let everyone know here that we have revived our Monthly Meet & Geek social event. We will meet monthly on a Tuesday (typically) to socialize, speculate, pontificate, eat, drink, smile, laugh, generally just chill a bit at the Spring Street Beer & Wine Garden. We can talk tech or just geek out about the current Marvel movies, our favorite cold beverage, sports-ball, or just the weather.

We hope to see you Tuesday, March 12th from 5pm-7pm.

Please go to meetup.com to get signed up for notices and to RSVP.

Multi-Factor Authentication

shutterstock_1303457950.jpg

Multi-factor authentication (MFA) or more narrowly two-factor authentication (2FA) is available on most information systems now, but not all authentication factors provide the same security. Let’s look at what an authentication factor is, why they’re used, and how they can best be implemented.

The Factors

In information security, authentication refers to the process of confirming a user or service is who or what they say they are. There are many methods of doing so, often grouped into “factors.” The common factors are:

  • something you know

  • something you have

  • something you are

  • somewhere you are

We already looked at the “something you know” factor in the form of passwords and pass phrases. PINs are another form of this knowledge factor, or those “security questions” like the name of your favorite teacher. (“Ask me something only I would know!”)

The “something you have” factor refers to a physical object in your possession. The key to your home is a possession factor that authenticates your access to your domicile. A debit card is an object that gives you authenticity to access money in an account. Probably the most common form of 2FA on websites indirectly uses your mobile phone as a possession factor by sending a text message to it which you then have to relay back to the website.

“Something you are” is the most natural form of authentication: when you see someone you know or hear their voice, unless you’re Ethan Hunt you know who they are. For information systems, these inherent factors are almost always some form of biometrics. Fingerprint scanning (Touch ID), voice recognition, facial recognition (Face ID), retinal or iris scanning, DNA testing, gait analysis… anything that is inherently you and statistically unique.

Time vortices aside, “somewhere you are” is also a pretty naturally understood factor. If you come home to a broken flower pot, figuring out whether the doggo or Miley Cyrus is to blame usually does not take a lot of investigating. If you saw your boss enter her office this morning and didn’t see anyone else go in, you are probably not questioning who you hear typing at her desk. For our purposes, the location factor could be physical access to a machine (UAMDM) or connecting via LAN vs VPN or WAN.

Theory and Practice

The idea of using two or more factors for security revolves around the idea that if something in one factor has been compromised, likely that entire factor has been or can easily be compromised. E.g., if someone stole the key to your deadbolt, having a second key for your doorknob isn't much more secure since they whole keychain was likely stolen.

In this vein, having to enter a password and answer a security question to log into a system doesn't increase the security factor of the system. Not that those questions are completely useless, but they should 1: be treated like a password (don't use "real" answers that can be found online) and 2: not mislead anyone about the security they provide.

Implicit factors can also lead to a false sense of security. A mobile device is a possession factor, but a phone number is not. The NIST recommended against SMS 2FA back in 2016, and the EFF reiterated the vulnerabilities of the cell network a couple months ago. Apple confusingly but with the right intention does not even categorize SMS codes as 2FA, but instead calls them "two step verification." They reserve the moniker "two-factor authentication" for their proprietary iCloud codes, which do not share the same vulnerabilities. Google Authenticator type apps are also a more secure alternative to SMS.

A common retort is that SMS 2FA is better than no 2FA. But if better options exist, why choose the worst one? The gold standard in possession factor authentication used to be RSA SecurID key fobs, but the FIDO Alliance has championed several industry standards, which can be implemented using inexpensive devices like a YubiKey.

If you have any questions or concerns about the authentication being used to protect your business, reach out to us to set up a quick meeting or consultation. We offer a full array of cyber security services and products.

Batting Cleanup...before March Madness

My last Blog post was at the end of January. Now, in late February - as the baseball teams get into the swing of Spring Training (see what I did there?) - and after Shawn, Chris, and Richard posted excellent Blog articles in February, I’m in the #4 spot. I’m “batting cleanup.” Don’t worry, I think the Astros are in good shape with a talented set of choices; it’s merely a sports analogy from a geek. We’re not going to compete in Minute Maid Park, but we will be there to cheer on the team when they start home games in April.

But I digress…back to late February and my thoughts for this riveting post.

Hmmm…so many passwords, so many post-its!

Hmmm…so many passwords, so many post-its!

Adding a key point to Shawn’s insightful post about Passwords, and combining with Chris’ thoughts about small business security, PLEASE STORE YOUR PASSWORDS IN A SAFE PLACE!

In January we blew through the 1-year anniversary of Hawaii’s bizarre “2018 end of the world” panic, prompted at the time by an emergency management signal that warned (falsely, it turned out) of inbound ballistic missiles from North Korea. In Houston it went largely unnoticed for several reasons, primary of which is that it didn’t happen here. However, in preparing discussion topics for an upcoming talk, I dug into the details to refresh my memory. My research (searching “hacked credentials: password in photo led to Hawaii emergency alert, north korean missile inbound”) centered around a key point: a password critical to the process had been compromised.

My time in government service, predominantly in the Army but in a wide variety of joint-service and civilian-heavy organizations, spanned a 30-year career that began in 1984. Over that period I saw more than a few changes in IT and our use of computers, electronics, gadgets, and other tech toys. I also worked in restricted access areas requiring secret and top-secret clearances, most obviously denoted by wearing a “Blue Badge.” This backdrop prompts me to note several disturbing aspects of the Hawaii incident:

1) A password was written on a post-it note and stuck to the monitor of the alleged source of the incident.

2) The post-it note with password was photographed in July 2017 and published on social media.

3) The photo was published by a proud government civilian, who wanted to share his great work environment with friends and family.

Sadly, the 3d item should never have happened. TOTALLY INAPPROPRIATE, and obviously the #2 and #1 items ALSO would not have happened had #3 never occurred. So it begs some questions: Why was the photo taken? How did a restricted space with a “blue badge” employee even allow the photo to be taken? If the photo was sanctioned, why was the area not “sanitized,” i.e., why did he show his access badge and post-it note, along with a host of other items and physical cues to what goes on in the command center? It is THE STATE of HAWAII’s EMERGENCY MANAGEMENT Command and Control Center! Can you imagine walking into the Pentagon, the White House Situation room, or Jack Bauer’s CTU crisis center and just taking a happy-snap for your Instagram post? I cannot.

Circling back to both Shawn’s and Chris’ posts, here is my point: just like not leaving keys in the ignition to your car with the windows down and doors unlocked, it REALLY is NOT SMART to write your password and store it in an obvious place near your computer. At Envision, we have fantastic tools to help individuals, small businesses, non-profit organizations, government entities, and even large corporations manage their information. You can trust me - in my life I have served at various levels of each of these types of organizations.

Pointing out Richard’s #3 Blog post of February, we have developed great loyalty and trust with our existing clients. Our amazing clients have helped build Envision Design into Houston’s oldest member of the Apple Consultants Network. We specialize in securing and monitoring their computer systems 24x7. And we are doing it in diverse situations, including the very restrictive, high-penalty world of HIPAA compliance and regulation. I’d like to highlight a key point of Richard’s “How to become an "En-Visionary"...” rewards program: because our clients TRUST us with the life-blood of their businesses, and because we have to earn their LOYALTY and retain it monthly, we understand that every customer matters. Chris pointed it out with his question of “So why should small businesses partner with a MSP?” EVERY business should have protection in place. We all owe it to our own patients, clients, customers, and business/practice/firm team members. The price of failure could be…well, failure.

In looking ahead to March, the elite teams will emerge in the NCAA basketball tournament. Another sports reference from Tom: March Madness is on the way! Love it or hate it — or even for those just indifferent to it — March Madness frenzy is measurable, and HUGE. Reflecting on our Blog posts, we’d love to see a frenzy of referrals in March, fueled by true passion to help each other secure, safeguard, and monitor sensitive information. As much as it’s about “NCAA tournament brackets,” I’d love to see March Madness become a business referral principle, as well. Send me your thoughts!