Category Archives: Cybersecurity

What is SSO and how single sign-on works?
28 Dec

What is SSO and how single sign-on works?

What is single sign-on (SSO)?

Single sign-on (SSO) is a technology which combines several different application login screens into one. With SSO, a user only has to enter their login credentials (username, password, etc.) one time on a single page to access all of their SaaS applications.

Imagine if customers who had already been admitted to a bar were asked to show their identification card to prove their age each time they attempted to purchase additional alcoholic beverages. Some customers would quickly become frustrated with the continual checks and might even attempt to circumvent these measures by sneaking in their own beverages.

SSO is an important aspect of many identity and access management (IAM) or access control solutions. User identity verification is crucial for knowing which permissions each user should have. Cloudflare Zero Trust is one example of an access control solution that integrates with SSO solutions for managing users’ identities.

However, most establishments will only check a customer’s identification once, and then serve the customer several drinks over the course of an evening. This is somewhat like an SSO system: instead of establishing their identity over and over, a user establishes their identity once and can then access several different services.

What are the advantages of SSO?

In addition to being much simpler and more convenient for users, SSO is widely considered to be more secure. Here are a few reasons:

  1. No repeated passwords: When users have to remember passwords for several different apps and services, a condition known as “password fatigue” is likely to set in: users will re-use passwords across services. Using the same password across several services is a huge security risk because it means that all services are only as secure as the service with the weakest password protection: if that service’s password database is compromised, attackers can use the password to hack all of the user’s other services as well. SSO eliminates this scenario by reducing all logins down to one login.
  2. Multi-factor authentication: Multi-factor authentication, or MFA, refers to the use of more than one identity factor to authenticate a user. For example, in addition to entering a username and password, a user might have to connect a USB device or enter a code that appears on their smartphone. Possession of this physical object is a second “factor” that establishes the user is who they say they are. MFA is much more secure than relying on a password alone. SSO makes it possible to activate MFA at a single point instead of having to activate it for three, four, or several dozen apps, which may not be feasible.
  3. Stronger passwords: Since users only have to use one password, SSO makes it easier for them to create, remember, and use stronger passwords.* In practice, this is typically the case: most users do use stronger passwords with SSO.*What makes a password “strong”? A strong password is not easily guessed and is random enough that a brute force attack is not likely to succeed. w7:g”5h$G@ is a fairly strong password; password123 is not.
  4. Single point for enforcing password re-entry: Administrators can enforce re-entering credentials after a certain amount of time to make sure that the same user is still active on the signed-in device. With SSO, they have a central place from which to do this for all internal apps, instead of having to enforce it across multiple different apps, which some apps may not support.
  5. Better password policy enforcement: With one place for password entry, SSO provides a way for IT teams to easily enforce password security rules. For example, some companies require users to reset their passwords periodically. With SSO, password resets are easier to implement: instead of constant password resets across a number of different apps and services, users only have one password to reset. (While the value of regular password resets has been called into question, some IT teams still consider them an important part of their security strategy.)
  6. Less time wasted on password recovery: In addition to the above security benefits, SSO also cuts down on wasted time for internal teams. IT has to spend less time on helping users recover or reset their passwords for dozens of apps, and users spend less time signing into various apps to perform their jobs. This has the potential to increase business productivity.
  7. SSO Internal credential management instead of external storage: Usually, user passwords are stored remotely in an unmanaged fashion by applications and services that may or may not follow best security practices. With SSO, however, they are stored internally in an environment that an IT team has more control over.

How does an SSO login work?

Whenever a user signs in to an SSO service, the service creates an authentication token that remembers that the user is verified. An authentication token is a piece of digital information stored either in the user’s browser or within the SSO service’s servers, like a temporary ID card issued to the user. Any app the user accesses will check with the SSO service. The SSO service passes the user’s authentication token to the app and the user is allowed in. If, however, the user has not yet signed in, they will be prompted to do so through the SSO service.

Think of SSO as a go-between that can confirm whether a user’s login credentials match with their identity in the database, without managing the database themselves — somewhat like when a librarian looks up a book on someone else’s behalf based on the title of the book. The librarian does not have the entire library card catalog memorized, but they can access it easily.

An SSO service does not necessarily remember who a user is, since it does not store user identities. Most SSO services work by checking user credentials against a separate identity management service.

How do SSO authentication tokens work?

The ability to pass an authentication token to external apps and services is crucial in the SSO process. This is what enables identity verification to take place separately from other cloud services, making SSO possible.

Just as each stamp has to look the same, authentication tokens have their own communication standards to ensure that they are correct and legitimate. The main authentication token standard is called SAML (Security Assertion Markup Language). Similar to how webpages are written in HTML (Hypertext Markup Language), authentication tokens are written in SAML.

Think of an exclusive event that only a few people are allowed into. One way to indicate that the guards at the entrance to the event have checked and approved a guest is to stamp each guest’s hand. Event staff can check the stamps of every guest to make sure they are allowed to be there. However, not just any stamp will do; event staff will know the exact shape and color of the stamp used by the guards at the entrance.

How does SSO fit into an access management strategy?

SSO is only one aspect of managing user access. It must be combined with access control, permission control, activity logs, and other measures for tracking and controlling user behavior within an organization’s internal systems. SSO is a crucial element of access management, however. If a system does not know who a user is, there is no way to allow or restrict that user’s actions.

Does Websiteflix integrate with SSO solutions?

Among many options in today’s market, we can help you implement Cloudflare Zero Trust controls and secures user access to applications and websites; it can act as a replacement for most VPNs. Cloudflare integrates with SSO providers in order to identify users and enforce their assigned access permissions.

Need help with implementing SSO solutions?

Give us a call today at (855) 225-4535, or fill out our contact form, and talk to one our cyber-safety experts.

Source: https://www.cloudflare.com/learning/access-management/what-is-sso/

Cybercrime is increasing and here are the effective ways to protect yourself
05 Oct

Cybercrime is increasing and here are the effective ways to protect yourself

At Websiteflix, we offer many security tools to safeguard your assets. Here are a few extra steps you can tahttps://domains.netlittle.com/products/website-securityke to significantly reduce the risk of a scammer targeting your accounts during National Cybersecurity Awareness Month and beyond:

  1. Enroll in two-factor authentication (2FA) for your online accounts as well as your email and mobile service provider accounts. 2FA acts as an extra hurdle for scammers, even if they learn your username and password.
  2. Enroll in biometric security for your mobile device, where possible. A biometric login (fingerprint or facial recognition) is far more secure than a username and password on its own. It’s also a faster way to log in.
  3. Always use unique usernames and passwords for each of your accounts. Scammers purchase compromised login details from the hidden web and test them on various websites to find people who reuse their credentials for multiple accounts. Don’t let them find you!
  4. Be aware of social engineering scams. The number one way cybercrimes begin is with a malicious email link, attached document, text message, or a spoofed or compromised web page. Be wary of anyone who claims to be from IT services, alleges that there’s a virus on your device, requests remote access to your computer, or asks for a password or a one-time PIN.
  5. Keep your contact information up to date in case there’s an issue and your provider needs to reach you. Double-check that your phone number and email are correct or make updates at your online accounts or in the mobile app,

Want to learn more about securing your accounts? Visit our security page for further information.

Identifying and Avoiding COVID-19 Scams
22 Apr

Identifying and Avoiding COVID-19 Scams

Are you working from home or attending school online during the Coronavirus (COVID-19) pandemic? Be cautious of cybercriminals.

During this time of social distancing, people spend more time on their phones and computers for home, work, shopping, and entertainment. Cybercriminals take advantage of widespread fear, panic, and worry. They may use your extra screen time and time at home as an opportunity.

Protect yourself by being aware of different types of scams.

According to the U.S. Department of Justice, the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC), there are several ways scammers will use COVID-19 to target people.

  • Vaccine and treatment scams. Scammers may advertise fake cures, vaccines, and advice on unproven treatments for COVID-19.
  • Shopping Scams. Scammers may create fake stores, e-commerce websites, social media accounts, and email addresses claiming to sell medical supplies currently in high demand. Supplies might include things like hand sanitizer, toilet paper, and surgical masks. Scammers will keep your money but never provide you with the merchandise.
  • Medical scams. Scammers may call and email people pretending to be doctors and hospitals that have treated a friend or relative for COVID-19 and demand payment for treatment.
  • Charity scams. Scammers sometimes ask for donations for people and groups affected by COVID-19.
  • Phishing and Malware scams. During the COVID-19 crisis, phishing and malware scams may be used to gain access to your computer or to steal your credentials.
    • Malware is malicious software such as spyware, ransomware, or viruses that can gain access to your computer system without you knowing. Malware can be activated when you click on email attachments or install risky software.
    • When Phishing is used, bad actors send false communications from what appears to be a trustworthy source to try to convince you to share sensitive data such as passwords or credit card information.
    • For example, scammers may pose as national and global health authorities, including the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC) and send phishing emails designed to trick you into downloading malware or providing your personal and financial information.
  •  App scamsScammers may create mobile apps designed to track the spread of COVID-19 and insert malware into that app, which will compromise users’ devices and personal information.
  • Investment scamsScammers may offer online promotions on things like social media, claiming that products or services of publicly traded companies can prevent, detect, or cure COVID-19, causing the stock of these companies to dramatically increase in value as a result.

(Source: U.S. Department of Justice)  

Malicious Domains and Files Related to Zoom Increase, ‘Zoom Bombing’ on the Rise
05 Apr

Malicious Domains and Files Related to Zoom Increase, ‘Zoom Bombing’ on the Rise

Threat actors take advantage of the increased usage of video conferencing apps is reflected in the rise of malicious domains and files related to Zoom application. Cases of “Zoom bombing” has been witnessed as well. The use of Zoom and other video conferencing platforms has increased since many companies have transitioned to a work-from-home setup due to the coronavirus (COVID-19) outbreak.

Registrations of domains that reference the name of Zoom has significantly increased, according to Check Point Research. More than 1,700 new domains related to Zoom were registered since the beginning of 2020, but 25% of this number was only registered in the past week. From these domains, 4% have been found with suspicious characteristics.

Other communication apps such as Google Classroom have been targeted as well; the official domain classroom.google.com has already been spoofed as googloclassroom\[.]com and googieclassroom\[.]com.

The researchers were also able to detect malicious files containing the word “Zoom,” such as “zoom-us-zoom_##########.exe” (# representing various digits). A file related to Microsoft Teams platform (“Microsoft-teams_V#mu#D_##########.exe”) was found as well. Running these files installs InstallCore PUA on the user’s computer, which could allow other parties to install malware.

In addition to malicious domains and files, the public is also warned of Zoom bombing, or strangers crashing private video conference calls to perform disruptive acts such as sharing obscene images and videos or using profane language. Attackers guess random meeting ID numbers in an attempt to join these calls. Companies and schools, holding online classes, have fallen victim to this. Zoom has released recommendations on how to prevent uninvited participants from joining in on private calls.

Zooming in on work-from-home set up security

The transition of many companies to a work-from-home (WFH) arrangement has brought about its own set of security concerns. For one, the increased reliance of companies on video conferencing apps for communication can inadvertently expose businesses to threats and even possibly leak classified company information.

Employees are advised to properly configure the settings of these apps to ensure that only those invited can participate in the call. Users are also advised to double-check domains that may look related to video conferencing apps and verify the source before downloading files. Official domains and related downloads are usually listed in the apps’ official websites.

Besides securing the use of video conferencing apps, users can also protect their WFH setups through the proper use and configuration of a virtual private network (VPN) and remote desktop protocol (RDP), which are commonly used for remote connection. Choosing strong passwords and setting up two-factor authentication (2FA) will also help secure accounts. Users are also reminded to be wary of online scams, including those that use content related to COVID-19 to lure possible victims.

Source: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-domains-and-files-related-to-zoom-increase-zoom-bombing-on-the-rise?_ga=2.129671180.1627239902.1586142226-889185152.1585619978

Working From Home? 5 Tips to Stay Secure
19 Mar

Working From Home? 5 Tips to Stay Secure

Working from home – a new reality

It’s evident that working from home has become a new reality for many, as more and more companies are encouraging and even requesting that their staff work remotely. In fact, recent events have accelerated this WFH trend, or workforce transformation process, with companies restricting employee travel and many allocating more resources to enable virtual work. Major tech players, like Twitter and LinkedIn, have made even bigger moves by implementing policies that require all employees to work from home. Clearly, work from home is no longer just an initiative to harness global talent but also a way to protect workers from risk.

Increased security risks

At McAfee, we’re keeping a close eye on this trend, observing huge increases in the number of personal devices connecting online. And while working from home offers benefits to employees, this upswing in personal devices connecting to enterprises can actually expose organizations and employees to security risks, such as malware attacks, identity theft, and ransomware. With the world now facing this new reality, the question remains–how can employers and employees equip themselves with the resources to work from home securely on a full-time or part-time basis?

Work from home securely

Employers must not only educate their employees on digital security best practices but also give them the tools to combat online threats that may stem from remote work. With many of us relying on emails and the web to work remotely, we need to be aware of the key giveaway signs that indicate a threat. From there, we can spot, flag, and report anything that looks suspicious. By sharing the responsibility and encouraging others to flag anything sketchy, we can all naturally raise awareness and help others avoid falling into similar traps. By staying open with one another, we can stay ahead of hackers.

Tips to protect both personal and corporate data

Want to ensure you work from home in a safe and secure way? Here are five quick tips and tools you can use to protect both personal and corporate data:

Utilize a VPN

Many people use public Wi-Fi at coffee shops, airports, etc. in order to stay connected both professionally and personally. However, by using an unsecured Wi-Fi connection, you may be creating an easy gateway for hackers to access your personal information and data. Be sure to use a virtual private network (VPN), which is extremely important for establishing a secured connection to work files and personal photos saved in the cloud.

Be aware of phishing emails

We’ve seen hackers attempt to take advantage of people’s fears by pretending to sell face masks online to trick unsuspecting people into giving away their credit card details. Do not open any email attachments or click on any links that seem suspicious.

Regularly change cloud passwords with two-factor authentication

Two-factor authentication is a more secure way to access work applications. In addition to a password/username combo, you will be asked to verify who you are with a device that you–and only you—own, such as a mobile phone. Put simply: it uses two factors to confirm an identity. Ultimately, getting access to something supposedly confidential isn’t that hard for hackers nowadays. However, the second form of identification makes it so hackers are limited in what they can pull off.

Use strong, unique passwords

In the chance a hacker does gain access to one of your accounts, make sure to use complex passwords for each of your accounts, and never reuse your credentials across different platforms. It’s also a good idea to update your passwords consistently to further protect your data. You can also use a password manager, or a security solution that includes a password manager, to keep track of all your unique passwords.

Browse with security protection

Ensure that you continue to update your security solutions across all devices. This will help protect devices against malware, phishing attacks, and other threats, as well as help, identify malicious websites while browsing.

source: https://www.mcafee.com/blogs/consumer/top-five-things-to-do-to-stay-secure-when-working-from-home/

WOULD YOU LIKE HELP SETTING UP VPN OR IT SECURITY?

Coronavirus phishing emails: How to protect against COVID-19 scams
18 Mar

Coronavirus phishing emails: How to protect against COVID-19 scams

The overwhelming amount of news coverage surrounding the novel coronavirus has created a new danger — phishing attacks looking to exploit public fears about the sometimes-deadly virus.

How does it work? Cybercriminals send emails claiming to be from legitimate organizations with information about the coronavirus.

The email messages might ask you to open an attachment to see the latest statistics. If you click on the attachment or embedded link, you’re likely to download malicious software onto your device.

The malicious software — malware, for short — could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data, which could lead to identity theft.

The coronavirus — or COVID-19, the name of the respiratory disease it causes — has affected the lives of millions of people around the world. It’s impossible to predict its long-term impact. But it is possible to take steps to help protect yourself against coronavirus-related scams.

Here’s some information that can help.

How do I spot a coronavirus phishing email? Examples

Coronavirus-themed phishing emails can take different forms, including these.

CDC alerts. Cybercriminals have sent phishing emails designed to look like they’re from the U.S. Centers for Disease Control. The email might falsely claim to link to a list of coronavirus cases in your area. “You are immediately advised to go through the cases above for safety hazards,” the text of one phishing email reads.

Health advice emails. Phishers have sent emails that offer purported medical advice to help protect you against the coronavirus. The emails might claim to be from medical experts near Wuhan, China, where the coronavirus outbreak began. “This little measure can save you,” one phishing email says. “Use the link below to download Safety Measures.”

Workplace policy emails. Cybercriminals have targeted employees’ workplace email accounts. One phishing email begins, “All, Due to the coronavirus outbreak, [company name] is actively taking safety precautions by instituting a Communicable Disease Management Policy.” If you click on the fake company policy, you’ll download malicious software.

How do I avoid scammers and fake ads?

Scammers have posted ads that claim to offer treatment or cures for the coronavirus. The ads often try to create a sense of urgency — for instance, “Buy now, limited supply.”

At least two bad things could happen if you respond to the ads.

One, you might click on an ad and download malware onto your device.

Two, you might buy the product and receive something useless, or nothing at all. Meanwhile, you may have shared personal information such as your name, address, and credit card number.

Bottom line? It’s smart to avoid any ads seeking to capitalize on the coronavirus.

Tips for recognizing and avoiding phishing emails

Here are some ways to recognize and avoid coronavirus-themed phishing emails.

Like other types of phishing emails, the email messages usually try to lure you into clicking on a link or providing personal information that can be used to commit fraud or identity theft. Here’s some tips to avoid getting tricked.

  • Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information. Never respond to the email with your personal data.
  • Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.
  • Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email. Delete it.
  • Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
  • Avoid emails that insist you act now. Phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Instead, delete the message.

Where can I find legitimate information about the coronavirus?

It’s smart to go directly to reliable sources for information about the coronavirus. That includes government offices and health care agencies.

Here are a few of the best places to find answers to your questions about the coronavirus.

Centers for Disease Control and Prevention. The CDC website includes the most current information about the coronavirus. Here’s a partial list of topics covered.

  • How the coronavirus spreads
  • Symptoms
  • Prevention and treatment
  • Cases in the U.S.
  • Global locations with COVID-19
  • Information for communities, schools, and businesses
  • Travel

World Health Organization. WHO provides a range of information, including how to protect yourself, travel advice, and answers to common questions.

National Institutes of Health. NIH provides updated information and guidance about the coronavirus. It includes information from other government organizations.

Source: https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html

National Cybersecurity Awareness Month 2019
07 Oct

National Cybersecurity Awareness Month 2019

The line between our online and offline lives is indistinguishable. In these tech-fueled times, our homes, societal well-being, economic prosperity and nation’s security are impacted by the internet.

Under the overarching theme of  ‘Own IT. Secure IT. Protect IT.’, the 16th annual National Cybersecurity Awareness Month (NCSAM) is focused on encouraging personal accountability and proactive behavior in security best practices, digital privacy and draw attention to careers in cybersecurity. NCSAM 2019 will address the following online safety messages and identify opportunities for behavioral change:

 

  • Own IT.

    • Never Click and Tell: staying safe on social media
    • Update Privacy Settings
    • Keep Tabs on Your Apps: best practices for device applications

 

  • Secure IT.

    • Shake Up Your Passphrase Protocol: create strong, unique passphrases
    • Double Your Login Protection: turn on multi-factor authentication
    • Shop Safe Online
    • Play Hard To Get With Strangers: how to spot and avoid phish

 

  • Protect IT.

    • If You Connect, You Must Protect: updating to the latest security software, web browser and operating systems
    • Stay Protected While Connected: Wi-Fi safety
    • If You Collect It, Protect It: keeping customer/consumer data and information safe

Source: https://staysafeonline.org/ncsam/themes/