It’s Time to Revisit Your Password Best Practices

Closeup of Password Box in Internet Browser

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional, but they do give valuable insights into how password best practices.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt, and they even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it or allowing for copy/paste will make the password more likely to be compromised. The truth is the opposite; ease of use does not compromise security, as people are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password-based around the name of her dog, for example, the hacker might be able to find that information on her social media page, then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance; either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them but will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now so that you don’t have to worry about data breaches later on down the road. AE Technology Group can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (516) 536-5006.

BlackRock Trojan: Aggressive Viral Menace For Android Device Users

blackrock trojan aggressive viral menace for android device users

A new attack on android applications known as the BlackRock trojan has already targeted over 300 applications on the android operating system, including banking, social media, and dating applications. Any application with payment features, which is most nowadays, has been targeted and users credit card information has been compromised. How does this all work though, and what implications will it have for the future of the android operating system?

The Mechanics of BlackRock

The essential approach that BlackRock takes to get access to your information is it sends out a false Google Update and requests accessibility privileges. After it is granted these privileges it develops its own autonomy and no longer needs further interaction from the user to operate, it does this through granting itself further permissions afterwards. 

Some abilities BlackRock has, are traditional of trojan attacks, and some are quite problematic. It can collect device information, it can perform overlay attacks, but even more concerning, it can prevent antivirus software and even prevent uninstalling, leading to a longer lifespan than most hacks and more damage being done to your device and more of your information being compromised.

The Network and History of BlackRock Malware

Information from the site ThreatFabric has concluded that BlackRock is based on banking malware known as Xerxes, which itself is a version of Lokibot malware, discovered in 2019. Lokibot is part of an underground network of rented malware which circulated in 2016 and 2017. What really caused it to be a ubiquitous problem is when the source code got leaked. 

Android tried to get out in front of the older malware by pushing their newer devices which, with their new hardware, had a natural adaptation curve for implementing the attacks on the new systems. This, unfortunately, didn’t last long. In 2018, MysteryBot dropped, which was an update on the Xerxes system to work with new Android systems. 

The ancestral history of BlackRock is inundated with Lokibot variants. Parasite was a brief problem, although after disappearing from the malware space, Xeres was the direct parent of BlackRock, with the former appearing in 2019 and now, here in 2020, we have BlackRock.

Top Apps That Have Been Threatened

Numerous applications have suffered the injection and compromise of BlackRock, but the most notable are:

  • Gmail
  • Google Play
  • Netflix
  • Wells Fargo
  • Twitter
  • Instagram
  • Facebook

Many others have been targeted as well, leading to an entire suite of applications being at risk. Millions of users could have been affected and had their financial and contact information now in the hands of hackers, which could be numerous themselves seeing as the above mentioned malware network is vast and diverse.

Implications for Android

Android, being a more open operating system, runs the risk of more of these said attacks if they don’t take a new approach to how they monitor their application base. Two futures exist for android after this latest breach.

One, they stay with the same approach they have now and hope that they can rely on a numbers game, praying that the majority of their apps stay solid with their own individual protection protocols, and hoping the majority of their users stay safe.

The other is they radically change how they monitor their operating system, implementing much more rigorous analysis of their potential apps and making the approval process contain much more scrutiny in their security requirements. 

Either way the future for android will remain risky if they simply ignore the growing underground network of malware. They desperately need to engage in research of this growing corner of the hacking world if they have any hope of maintaining a safe and secure user base.

Get more news, tips and tricks at our blog here.

Business Owners 12x More Likely to Be a Cyber Security Target Here’s What You Can Do About It

cyber security target

As a business owner or operator, it is up to you to protect yourself and your employees from cyber attacks. Unfortunately, many small business owners either underestimate the damage a cyber attack can cause or fail to take the proper steps to protect themselves. Below is a look at some reasons why business owners are more likely to be a cyber security target and some steps you can take to reduce your risk.

Why are Business Owners More Susceptible to Cyber Attacks?

A recent study by Verizon highlights how vulnerable business owners are to cyber security attacks. When compared to other employees, business owners and senior executives are a dozen times more apt to become a victim of a cyber security attack. Small businesses were especially likely to be targeted, accounting for 43% of cyber attacks and data breaches. Here are a few reasons why business owners and executives are more at risk:

They are incredibly busy

Business owners and top executives are usually preoccupied with the day to day activities of running a business. They are so busy focusing on customer issues, troubleshooting, and promoting their business that they do not have time to think about cybersecurity. 

They often know little about protecting themselves

In addition to having little time to think about IT threats, business owners typically know very little about cybersecurity. They have no idea about the most common threats or what measures they can take to protect themselves.

They think they are immune to attacks

Small business owners, in particular, are especially likely to think that they will never become a target of a cyber attack. They often assume that hackers will target larger, more profitable companies, and therefore focus little on prevention.

They underestimate the damage an attack can cause

With the average cost of a cyber attack now exceeding $1 million, a cyber attack can spell financial doom for a business – especially a small one. Between lost productivity, service disruptions, and a poor customer experience, cyber attacks can cause lasting damage to a business.

What are some simple steps you can take to help prevent attacks?

The path to preventing cyber attacks begins with knowledge and training. By having a keen understanding of your risks, you will be motivated to increase your focus on cybersecurity. Here are a few simple steps you can take to protect yourself from cyber attacks:

  • Make cybersecurity a top priority at your business
  • Incorporate cybersecurity details into your training initiatives
  • Ensure data is kept in a safe, secure location
  • Implement security surveying and testing procedures
  • Closely manage your internet firewall protection

What is the single best way to protect yourself from cyber attacks?

As outlined above, there are many reasons why business owners are at an increased risk of cyber attacks and data breaches. And while there are some measures you can take to help prevent these problems, the single best way to protect yourself and your business is to seek the services of an experienced IT partner. An accomplished IT partner will work with you to educate you and your team about the most common threats. More importantly, they will arm you with a strategic plan to protect you from those threats.

As New York’s premier provider of IT services, AE Technology Group is your solution to preventing cyber security attacks. We invite you to contact us to discover why business owners across NYC and Long Island trust us to protect their identity and their companies. For 20 years, we have delivered five-star IT support and management to businesses of all sizes. We look forward to giving you and your business the cyber security protection you deserve!

Prevent Cyber Attacks With This Essential Guide

the essential guide to preventing cyber attacks

From data theft to compromising the core integrity of your company’s sensitive information, cyber attacks can strike anytime, anywhere. Malware and ransomware present a significant liability. Small businesses are especially vulnerable as these entities are often seen as an easy target. 43% of cyber attacks are aimed at small businesses and most close up shop within a year following a data compromise. Don’t leave your company’s future in the hands of hackers. Take control with AE Technology Group’s Essential Guide to Preventing Cyber Attacks.

Identify The Weakest Link

Conduct a detailed audit of your business systems and protocols. Establish what security measures are in place and what areas need to be fortified. A quick vulnerabilities check is essential in determining a course of preemptive action. Does your company train employees to be technologically compliant? Are uniform password standards and other security measures in place? Is software updated to ensure new, evolving threats are actively being mitigated?

Filling the gaps in your security wall is the best way to start defending against cyber crime.

Build Your Defense

Invest in robust antivirus and anti-malware software. No matter the scale of your business, the most valuable asset is your data. Building a strong cyber defense is the best way to secure systems information. Arm your network with a strong firewall and establish a routine for updating software and applications — or set systems to automatically update so your security never lapses.

Train Your Team

People are the greatest asset when it comes to preventing cyber attacks. Make sure your staff is equipped to play an active role in cyber security. 

Hosting biannual technology training courses provides a comprehensive environment for employees to learn about technology compliance. From phishing schemes to password protection, the digital world is constantly updating and rapidly evolving to meet the needs of today’s professionals. Keep your crew up to date as well with dedicated in house support, IT management, and one-on-one training opportunities.

Compliance is Key

Provide uniform corporate standards for data security. This includes password regulations and controlling user access through individual employee accounts. A good rule of thumb when it comes to password security is to utilize a combination of letters, numbers, and special characters. Sentence passwords are typically the most secure. Set passwords to expire every 6 months so that routine updates are required by all users.

Monitor any unauthorized activity to detect threats early on. This will allow management to minimize the impact of any malware that slips through the cracks. It’s also a good idea to manage employee credentials by limiting higher level data access. Assign user profiles with authority to install and download new software, as well as make administrative changes to critical systems information. Limiting access is a good way to reduce the risk of a cyber attack.

Along the same lines of protocol, consider compartmentalizing the network. Separate departments by access level so that each department only has access to the resources they need. This will make it easier for your managers and staff to focus on one aspect of the development environment without worrying about compliance outside of their organization.

Secure your company’s Wi-Fi network and ensure the network is always hidden to avoid any unwanted guests stealing your internet — or worse, your data.

Have a Back Up Plan

Even the most stringent of companies can be subject to a data breach. Keep your critical information secure by backing up your network through cloud storage options and external hard drives. Be sure to back up data on a weekly basis so your information is always up to date. This can dramatically minimize profit loss when it comes to recovering from a cyber attack.

When all else fails, the tech experts at AE have our New York business owners covered with comprehensive disaster recovery solutionsContact us today to learn more about securing your company’s future.

State of Email Security for 2019

state of email security for 2019

Email has been an irreplaceable blessing and a cruel curse to the cybersecurity of business over the years. Email connects the employees as well as the rest of the world. However, because email connects employees to the rest of the world, email has also come to be the largest vulnerability of any organization. In fact, recent studies report that 94% of companies will experience an email-related malicious attack. 

These attacks are generally phishing attacks such as emails requesting money transfers and fraud based attacks such as impersonation of third party vendors. Email is the easiest point of contact for other users, external or internal, to interact with employees and attempt malicious attacks. Reasons for improving email security are endless and companies are looking for solutions to remedy potential vulnerabilities in their systems.

Vulnerabilities are Increasing

The amount of email-based attacks towards a company has consistently seen a rise in recent years. As the world moves further and further along with the use of the internet and emails, this trend isn’t likely to see any change. IT departments are finding it increasingly difficult to protect the company and increase email security. In fact, 61% of businesses believe that they will likely or inevitably suffer an email-borne attack. 

Companies are continuing to promote email safety protocols and educate employees on the proper usage of email. Through these efforts, they hope to minimize security risks and improve vulnerability management. However, while these efforts to increase employee ability to spot cyber attacks have increased, only 25% of companies are providing training to actively increase email security. This training is commonly in the form of group sessions or informative videos. Some companies even go as far as having one on one sessions with employees to ensure that they understand the risk involved in email and that they keep the company safe while using it.

Effects of Attacks on Businesses

Many of these email-borne attacks have had direct effects on the functioning and profits of the organization. Specifically for email-based impersonation attacks, organizations have reported that:

  • 13% lost their position in the market
  • 26% loss of reputation
  • 27% had to cut back on employee numbers
  • 28% lost customers
  • 29% experienced direct financial loss
  • 39% experienced data loss

While 25% reported that they experienced no loss because of an impersonation email attack, this doesn’t mean that they didn’t suffer losses from some other form of attack. The chances are high that they did. 

More to Email Security Than Just Outside Threats

There’s more to email security than simply malicious user attacks. There are also human errors involved. 31% of C-suite level(CFO, CEO, CTO) employees have reported to had sent sensitive data to the wrong person. If this information is incorrectly sent to a fellow employee, the situation may not be so bad. However, if the wrong information is sent outside of the company, there is a chance that the information can be used to harm the company. Roughly 40% of employees at a given organization believes that the CEO undervalues the impact of email security.

C-suite level members of an organization are also the target of most cybercriminals. As C-suite level members often hold valuable information and have authorization to much of the company, cybercriminals highly target these individuals because they can profit the most from them. C-suite level employees, just as much as normal level employees, need to become better educated on email security.

Email security should be one of the many integrated security strategies seriously enforced to protect the company. For more information regarding the state of email security, contact AE Technology Group. We are well-versed in protecting the networks of companies and offer solutions that can prevent cyber disasters and increase vulnerability management including email security.