Why Organisations Need Two-factor Authentication

By

What is Two-factor / Multi-factor Authentication?

Put simply, two-factor authentication (2FA) or multi-factor authentication (MFA) is an additional layer of security that aims to address the vulnerabilities that a standard single password system can have.

With a standard username and password only system, it’s relatively easy to fall prey to cyber criminals and other nefarious parties. Think of the rudimentary username and password combination as having only a single line of defense.

Two-factor Authentication or Multi-factor Authentication adds a second line of defence by introducing an additional step to verify who you are. Instead of immediately gaining access to an account or information after entering a username and password, an MFA requires an additional piece of information.

This second layer of protection comes from one of the following categories:

  • Something you have: Most commonly a user would have something in their possession which can be used to verify their authenticity. This can come in the form of a smartphone, text message or a hardware token.
  • Something you know: This could be an answer to a secret question, a personal identification number (PIN) or even a specific keystroke pattern.
  • Something you are: This is the most advanced form of 2FA and can include voice prints, iris scans and most commonly a fingerprint.

This second layer makes gaining access to accounts and information incredibly difficult as a compromise of one of the factors won’t be enough to unlock an account.

Why use Two-factor Authentication / Multi-factor Authentication?

With more of our business happening online, through mobile devices and computers, it’s easy to see why our digital accounts and information have become a target for criminals and other parties.

Malicious attacks, data breaches, hacks and other cybercrimes are becoming more common with massive increases in the number of sites and organisations losing the personal data of their users.

As cybercriminals develop more sophisticated and advanced ways for gaining access to information and data, it’s clear to see that old security systems are simply no match.

These issues aren’t reserved for the Facebooks and Googles of the business landscape, but for global companies, start-ups, small businesses, nonprofits and organisations of all sizes. Data breaches, often times even caused by simple human error, result in severe reputational and financial losses.

A recent study revealed that in 2016 over $16 billion was taken from 15.4 million U.S. consumers as a result of data breaches and an additional $107 billion from identity theft.

Who uses Two-factor Authentication / Multi-factor Authentication?

One of the most common users of two-factor authentication are businesses of all sizes. Organisations are able to significantly reduce the likelihood of phishing scams, as criminals are unable to gain access to login information and other secure data with usernames and passwords alone.

Likewise, we see organisations who aim to keep their own data and information confidential and secure, as well as that of their customers and clients, use MFA to reduce their risk of data breaches and as a form of value add for their clients.

Why Multi-factor Authentication is important for your business

Attempts to steal legitimate user or administrative credentials happens frequently when a party is able to compromise a network. These credentials allow them to easily propagate on a network and conduct malicious activities without the need for additional exploits, which significantly reduces the likelihood of them being detected.

When two-factor or multi-factor authentication is properly implemented throughout an organisation, the ability to steal a complete set of credentials becomes much more difficult. The user has to prove they are allowed access using something they have (physical token), something they know (PIN) or something they are (fingerprint scan).

It is vitally important that multi-factor authentication be implemented correctly in order to actually reduce security vulnerabilities and not simply create a false sense of network security.

An example of this would be when MFA is used for remote access solutions within an organisation, but not for corporate workstations. An unknown party could compromise the username and password from a device used for remote access and then use it to authenticate locally to a workstation or to propagate within a network after compromising the initial workstation on the network. In this case, multi-factor authentication for remote access is better than just a username and password, but doesn’t negate the requirement for properly defended devices to be used as part of a comprehensive remote access solution.

If you’d like to learn more about how we can help you with two-factor authentication / multi-factor authentication, please call us at any time on 07 3120 0640 or email us at [email protected].

How To Protect Yourself Against Email Attacks

By

With the Australian Governments introduction of the Notifiable Data Breach Scheme on February 22nd 2018, it is now more important than ever to protect yourself against all forms of attacks.

An incident at a KFC franchisee highlights that even the most seasoned IT professional can fall victim to a phishing attack, reported IT News on Tuesday the 20th of March 2018.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

An IT manager at a Brisbane-based Collins Foods, the operators of hundred of KFC stores in Australia, Germany and the Netherlands, clicked an unsafe link.

This one simple action allowed anonymous attackers to briefly take control of the manager’s email account, which allowed them to send out additional phishing emails masquerading as invoices to an entire data base of contacts.

The company was able to quickly spot and address the issue by notifying those they believe had been recipients of the fake invoices via email.

The issue was a much needed reminder to all organisations of the need to remain alert, monitor processes and ensure procedures are in place for speedy responses.

How you can avoid email phishing attacks

  • Never click on hyperlinks

Good practice is to avoid clicking on any hyperlinks included within the confines of an email. This is particularly important when you have received an email from an unknown sender.

If you do however feel the need to check out the website the link is associated with, you should always enter the URL into a web browser manually.

  • Verify HTTPS

Whenever confidential information is being conveyed online, the address bar should always read “HTTPS” as opposed to the standard “HTTP”. The “S” confirms that the data is being conveyed through a secure and trustworthy channel.

  • Always check the “from” address

This is a relatively simple, yet often overlooked method for identifying potentially malicious email.

Copying the look of a trustworthy email or organisation is easy, however the email address itself is another can of worms.

Potentially malicious emails attempting to masquerade as the legitimate source often have additional numbers and letters in the email address, or even a misspelling of the legitimate organisations name.

  • Never enter sensitive information into a pop up window

Pop up windows are often used by phishers to extract information or to direct you to unsafe sites. Pop up windows are good to avoid altogether, unless from those you know to be a trustworthy source.

  • Keep antivirus and firewall current

While these both seem like rather obvious methods for avoiding attacks, you would be surprised by the number of people who fail to take this basic step.

Phishers, scammers and attackers are constantly changing and upgrading their schemes, therefore remaining current with your own protections is an invaluable first line of defence.

Learn more about a multi-layered approach to security.

If you’d like any further information, assistance with your IT needs or you simply don’t know where to start – please feel free to call us on (07) 3120 0640 or email us at [email protected].

 

Sources:
https://www.itnews.com.au/news/when-an-it-manager-falls-victim-to-a-phish-487280
http://www.globallearningsystems.com/blog/post/10-best-practices-to-avoid-email-phishing-attacks/

Cyber Attack

By

Australia may have missed the worst of the worldwide cyber attack, but small businesses are still at risk of being infected by the WCry ransomware.

Cyber Security Alastair MacGibbon said the first thing Australians should do when they get in to work on Monday is update their Microsoft software. They should do this before they open their emails or other programs.

The virus may be spreading via email attachments or trusted websites and if you don’t open or click on to the infected sites then you won’t be impacted. The virus also has a wormlike features that looks for other vulnerable systems once it’s embedded in your computer, which means it can spread to other computers in a network.

Users should be regularly updating their software, and not just when there is a threat. Generally a popup will appear if there is an update available but you can also force the computer to check for updates. As a precaution users should also be backing up their data on a USB or external hard drive that is kept separate and not connected to their computer.

So far the massive cyber attack has hit 200,000 people in at least 150 countries including an Australian business.The ransomware locks down computers and has been demanding payments of $US300 ($AU406) to $US600 ($AU812) to restore access.

 

HOW TO CHECK IF YOU NEED TO UPDATE WINDOWS

The recently released Window 10 periodically checks for updates and automatically downloads and installs them unless told otherwise.

But if you’re not sure if your computer’s software is up to date, you can very easily check with the steps below.

1) Select the Window icon at the bottom left of the screen known as the Start button.

2) In the search box, type “Update” and then in the list of results, click “Windows Update”.

3) Click “Check for updates” and your computer will run a test to find any updates.

4) If it says your device is up to date, you have the latest software available and you should be able to breath a little easier.