NIST Nixes TFA Via SMS

NISTHoly acronyms Batman!  What the heck does this headline mean?  Well, the National Institute for Standards and Technology (NIST) has removed two-factor authentication (TFA) via short-messaging service (SMS) from the approved list of two-factor authentication methods.  The reason is that SMS is an unencrypted service, and the lack of encryption makes it too insecure for use in Federal authentication systems.  NIST is recommending that all companies ...

Continue Reading →
0

Changing Passwords Regularly May Be Insecure

password1Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes.  Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.

The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password.  This ...

Continue Reading →
0

Recovering from Ransomware

teslacryptYou have trained your staff and improved your defenses.  In spite of your best efforts, you have an active case of crypto-malware running on a system in your business.  How do you recover?

Here are the steps to recovery:

  • Disconnect the affected system from the network by removing the Ethernet network cable connection or turning off the Wi-Fi connection.
  • Determine if the encryption process has completed.
    • If so, leave the system running, but disconnected from the network. ...
Continue Reading →
0

Detect and Defend Against Ransomware

maktub-lockerEncryption ransomware can be a devastating event if it happens to your or your company.  The three solutions are basically pay the money, restore from backup, or accept your losses and move on.  All are expensive, and some can be severe enough to drive a business out-of-business.Monday we gave you several ways to prevent, or at least prepare a response to a crypto-ransomware exploit.  Today we are going to look at early ...

Continue Reading →
0

Prepare and Prevent Ransomware Attacks

cryptolockerThis week we will be focusing on preventing, detecting, and recovering from the many variants of the crypto-ransomware exploit.  Ransomware attacks, such as CryptoLocker, CyrptoWall, Locky, Chimera, Zepto, and the like, have become one of the best money-making exploits for cyber-criminals, with new variants appearing on the scene every month.  These attacks usually start with a phishing email and a ZIP file attachment or a malicious link, so email vigilance can help. ...

Continue Reading →
0

10 Ways To Drive A Cybersecurity Geek Crazy

crazyActually there are way more than ten ways, but here are some I see all the time.  We can play this like a game, so go ahead and give yourself a point for each one of these that apply to you.  This game scores like golf – low score wins.

  1. Weak, Guessable Passwords – short and simple passwords may be easy for you to remember, but they make an attacker’s job simpler too. ...
Continue Reading →
0

Why Would You Hire A Hacker?

CEH-logoShould you hire a hacker?  Recently, the US Department of Defense did just that in their “Hack the Pentagon” event this spring.  This event resulted in the discovery of over 200 vulnerabilities that have been remediated, making our Defense network more secure.

The hackers we are recommending would be Certified Ethical Hackers (CEH) or Offensive Security Certified Professionals (OSCP).  These are professional cybersecurity practitioners who have received the specialized training to ...

Continue Reading →
1

20 Questions For Preparing An IT Risk Assessment

risk-assessment-managementMany small businesses are being dragged into the arena of IT risk assessment by larger client companies, suppliers, or regulators.  Common scenarios include credit card (PCI) or HIPAA compliance.  Since the Target breach, smaller vendors and supplier companies who have a network connection into the IT operations of a larger company are being required to undergo the same sort of vulnerability and risk assessment procedures ...

Continue Reading →
0

HTTPoxy Poses New Threats For Web Site Owners

A recent article in Naked Security caught my eye the other day about a new web site vulnerability called HTTPoxy.  This stands for HTTP requests and poisoned proxy settings.  Most web site use a technology called Common Gateway Interface (CGI) to run applications such as site search, collect information submitted on web forms, display comments, run a forum, or to display database queries such as pricing in a usable form on a web page.

HTTPoxy Continue Reading →

0

Happy SysAdmin Day 2016

sysadmin-dayToday is the 17th anniversary of the first SysAdmin Day.  If you know a SysAdmin, who would be the person you call when your computer is on the fritz, today is the day to buy them a Hallmark card, New Egg gift card, Star Wars poster or paraphernalia, or a Raspberry Pi.  I am sure the electronic or the edible variety would both be enthusiastically received.

So give your computer tech ...

Continue Reading →
0
Page 25 of 40 «...10202324252627...»