fbpx

Password Policy? Yes or No?

Password’s are an essential part of an organisation’s IT infrastructure. They are the first line of defense against attackers and usually the first thing to get compromised during a breach. This is why many organisations take great lengths to protect their passwords as well as the passwords of their users; often through invasive Password Change Policies which tend to do more bad than good.

As of April 2019 Microsoft is actually recommending disabling organisation-wide Password Change policies, not because of the Password Change policy itself but because of the effects it has on users trying to mitigate the hassle of maintaining a password change policy. When a user must change their password every 30/60/90 days they start coming up with strategies to ‘cheat’ the system; such as having the same password with incremental numbers (Password1, Password2, etc) or they start to write down their passwords in public locations (a sticky note attached to the PC). Both of these strategies are quite common and are often less secure than just having a singular strong password.

But what is a strong password? Microsoft constitutes a strong password as having 3 out of 5 of the following and being at least 8 Characters long.

  • Capital Letters
  • Lowercase Letters
  • Numbers
  • Symbols
  • Foreign Characters (こんにちは, Привет, 你好)

Whist we agree in principal, there should be some education around this so users do not come up with some easy passwords that satisfy the requirements; such as Password1. This is a insecure password but meets Microsoft’s requirements for a ‘strong’ password.

A good way to satisfy the password requirement, be secure, and even remember your password is: choose 3 short words that you will remember, then pick a symbol (such as $). You can now use these to make a password combination such as:

#IT#support#CANBERRA

or even the reverse is possible:

#it#SUPPORT#canberra

These passwords are more secure because of the length as well as being more memorable because it’s relating to a something that you chose.
If you can’t think of the words – that’s okay, you can use a free tool to generate some passwords for you and then you can choose the one that you think you would remember best. There are some password tools available online that let you customise how secure you want to password to be.

One of the websites is “A Secure Memorable Password Generator”: https://xkpasswd.net/s/

In summary, Password Change policies aren’t as secure as they seem on the surface – not due to any weakness in the policy itself but rather the effects it has on users that are forced to use the policy.

It is much better to use a singular secure password such as the style of passwords listed above.

Fortinet 30E – Review

Firewall Fortinet FortiGate 30E – Review

Fortinet

Fortinet 30E Managed Firewall

In our day to day operations providing IT support to small and medium business in and around Canberra, we often are tasked with installing new networks or upgrading existing networks. As part of this process we come across a lot of different networking equipment such as, Routers, Switches and Firewalls.

More recently, we have rolled out several different Fortinet products including the Fortinet FortiGate 30E Firewall.

The Fortinet FortiGate 30E is a compact unit not much bigger than your typical ADSL/VDSL router, its heavier than it looks and is a relatively plain looking device. It has a USB port, a Console Port, 1x GE WAN port and 4x GE Switch Ports.

The FortiGate 30E is much more than a typical firewall. It has many features and a lot of ability for its sub $1000 price tag. Its features include, IPS (Intrusion Prevention Scanning), NGFW (Next Generation Firewall), Threat Protection, AntiVirus Scanning, Web Filtering, DNS Filtering, Application Control, SSL VPN and even a Web Application Firewall for those wanting to run on premise web services.

The claimed throughput on this device is 950Mbps (Standard Firewall), 300Mbps IPS, 200Mbps NGFW and 150Mbps Threat Protection Throughput. Whilst we have not tested the maximum throughput, we have installed these devices in multiple locations with 100Mbit NBN connections and around 15 – 20 users without any issues.

The interface is very intuitive, and settings can easily be found, I wouldn’t say its super easy to configure for a novice, but with a little know how these devices can be deployed very quickly and very seamless.

Fortinet Dashboard

Managed Services Canberra Firewall

The visibility into network traffic is amazing once you know where to look. You can look at FortiView which provides information on traffic in and out of LAN/DMZ and traffic from the WAN interface. This gives you a good summary of the bandwidth used by device, by application, the category of the traffic and the risk associated with the traffic. You can also look under Log and Report for real time traffic, what policy is being used, application control and web filter triggered events.

Fortinet Fortiview

Fortinet Canberra Screenshot

With all Business Telephone Systems being switched to VoIP (Voice Over IP) on the NBN in Australia, it is imperative to ensure bandwidth hogs do not affect the quality of telephone calls in your business. One of the excellent features of the FortiGate 30E is the Traffic Shaper. You can assign a high priority to VoIP traffic and a minimum amount of bandwidth to ensure you clients can hear you clearly and concisely.

Business owners might also be thrilled at the ability to schedule firewall policies. For example, if you wanted to lock users out of social media except for during their lunch break, you can do this with ease with Fortinet Schedules.

Overall, we have found this device to be very stable with a high level of protection and performance. We would recommend this product to all small business who require more protection and visibility than a default ADSL / VDSL modem / router built in firewall.

The only downside of FortiGate Firewall 30E is for reporting and any logging of events outside of what is happening right now, you need to purchase the additional FortiAnalyzer. Which does have some cool features, but pushes the price of the solution up. It is well worth it if you are interested in exactly what is happening on your network.

There is an annual subscription for the FortiGate products, but not overly expensive. I can’t say this is the best firewall on the market under the $1000 mark as I have not tested them all. I can say that value for money we are very impressed with the level of protection and performance.

This is not a paid review.

Office 365

Office 365 for Email – Migrations and Downtime

Office 365 for email – Migrations and Downtime.

Some of the questions we get asked all the time when switching clients to Office 365 for email is: ‘How long does it take?’ or ‘Will there be any downtime?’

I thought I would write a post about these two questions specifically, in the hope that it can at least put you the reader at ease when deciding if Office 365 for email is for your business.

‘How long does it take?’

This is not a simple question, but has a simple answer – it depends. The time it takes to perform an Office 365 mail migration depends on a number of factors, factors you should consider when planning to move your mail services.

How many mail boxes? Obviously if you have 5 mailboxes, it will take less time than if you have 50 mailboxes, and 50 mailboxes will take less time than 500 mailboxes and so on and so forth. The more users the more support and admin will be required for the transition.

What type of migration? There are 3 types of standard migrations that can be performed to migrate email to Office 365 email, Cutover Migration, Staged Migration and Hybrid Migration. This is of course assuming you are coming from some type of Exchange based solution whether it is On Premise or Hosted. We also perform what we like to refer to as a custom migration, which is where we might move you from POP, IMAP email from a different source like Gmail or Mac Mail Server etc etc. The type of migration required will affect the required time to perform the migration.

How much data? The amount of data to import into Office 365 email is generally the biggest factor in determining the amount of time required to perform a migration. If there are 10 mailboxes with 2Gb of email, this will be 20Gb of data that has to be uploaded to the Office 365 servers. Now I am not sure if you have ever tried to upload 20Gb of data on a poor ADSL2+ connection but it’s not great fun. Now imagine if you have 100 users with 10+Gb mail boxes.

Internet Speed? If you are importing your existing email into Office 365, and why wouldn’t you. The data has to be uploaded to the Office 365 servers, and depending on the migration type re-downloaded to sync your new mailbox. For example, if you are moving to Office 365 from a hosted IMAP solution like Gmail, then the email generally will be uploaded from those servers which you would assume would have a decent internet connection, but then you have to have Outlook connect to the Office 365 Exchange Servers and download all of your email, calendars and contacts, which depending on your Internet connection speed will vary.

Aftercare support? So you have migrated all of the data, users are connecting with Outlook and everything is going well. Until your phone starts ringing and a user no longer has their email address autocomplete from before the migration, or they are missing Calendar items or maybe they can’t connect their iPhone to Office 365 for email. Allow time to provide support for these types of requests. There will always be things that can get missed, the most common ones are Scan to Email for on premise scanners, signatures, and email address auto complete.

The time it takes is generally not an issue as generally there is no interruption to services while the migration is being performed – if planned correctly. We recently performed a staged migration of a Hosted Exchange 2010 server with over 1000 mailboxes and 3TB of mailbox store, this migration took weeks of planning and preparation and was seamless to the end users with very little impact to the hundreds of tenants hosted in that environment.

‘Will there be any downtime?’

If everything has been done correctly, there will be very little interruption to business email services. The majority of the work is done during the planning, preparation and migration phases, again, if planned and prepared correctly. At most the interruption should be while a mail client is re-configured to connect to Office 365 and the mailbox is synced, during this time if there are any urgent emails that are waiting to be sent or received, keep in mind the user can always use Outlook Web Access or the webmail client.

So if you are thinking of migrating to Office 365 for email, which is an awesome tool for any business ensure you plan thoroughly, stay informed and communicate with your users, this will ensure a smooth migration and everyone will be happy, and of course if you need help or would like someone to do the migration for you get in touch with us here at AUIT and we will certainly be able to help.

Common Scams and some tips on avoiding them.

As a managed service provider we deal with a lot of different businesses and a lot of different users.  As part of our commitment to those businesses and users,  we like to ensure that security (and especially security around I.T systems) is kept at the front of customers minds.

IT Security Investment Scams

One way to do this is to share some stories about security incidents that we have witnessed or been asked to assist with.  So here are a few:

————————————————————————————————————

The virus borne internet banking scam.

So one day the manager of a small business we look after called to say that they had a problem with their internet banking and that the bank had called them to alert them to the fact they had a virus.

Of course we rushed to help them.  We were put in contact with the bank and were informed that the customer had put a transaction through to a suspicious account.  On double checking of the details it was found that the suspicious account was not that account that the customer had tried to make a payment too.

On running a scan with their antivirus it was found that they did in fact have a virus.  Now this customer had fully up to date and good quality antivirus at the time they were infected,  however the AV had since run an update which then enabled it to detect what it had previously been unable to.  Meaning that the virus had hit this customer before the Antivirus software makers had been able to detect and update their software.

So the virus had intercepted their payment via internet banking and tried to divert the funds (the payment was for around $20,000!) to another bank account.  Lucky for the customer the bank had noticed suspicious activity on that account and blocked the transaction instantly.

The customer has since implemented a secure CommBiz Netlock system which is a custom and locked down browser along with 2 factor authentication token generator.  This is an excellent service from the commonwealth bank that we highly recommend.  More info at https://www.commbank.com.au/business/online-banking/commbiz/security.html

Using passwords leaked from one website, to blackmail the user.

A customer called us and reported that he had received an email, with his “standard” password in the subject.

The email went on to inform him that his computer had been compromised and that they had used his web camera to record him watching pornographic material and that if he didn’t pay a ransom in bitcoin,  then the video would be distributed to all the contacts in his email.

This customer had actually long since stopped using a standard password for all his only services, however he was obviously alarmed at the fact that the subject of the email was the password that he used to use for many site.

So the question was, is this real and how do they know my password?

We took a look at the email and then had a look at https://www.scamwatch.gov.au/  The twitter feed at https://twitter.com/scamwatch_gov is an amazing resource for information of scams that are currently doing the rounds.

Then we also put the users email into the site https://haveibeenpwned.com/  which is another great tool that I send to my customers just to get them thinking about their password and personal information security.

We discovered that the user had had their password leaks from multiple sites,  however it appeared likely that the culprit was the Linkedin hack of 2012.

Protecting yourself

There are a number of things you can do, over and above security awareness, to help protect your users from scams.  We recommend the following:

1. Two Factor Authentication

Enable 2 factor authentication – (2FA) on every system where it’s supported.  2 factor authentication is “Something you know” and “something you have”.  Combinations usually include a password plus a security code generator, or password and an authentication app on your mobile phone.  This can greatly reduce the impact of someone stealing or guessing your password.  Every day more services are offering 2FA including Office 365, internet banking, paypal, facebook, ebay and many more.  Setting up 2FA is a slightly different process for each service, but usually fairly straight forward.  The service will usually offer some documentation or guides on setting it up.  AUIT offers consulting services where we can assist you to enforce 2FA on your business systems and ensure all your users are covered.

2. SPAM Filtering and Virus Filtering for Email

SPAM Filtering – ensure you have a decent spam filtering system to block virus and spam emails.  We use and recommend the spam filtering services from GoHosting.  https://www.gohosting.com.au/security/spam-filtering/

3. Web Filtering Firewall

A good web filtering firewall.  A good firewall can greatly assist in providing a secure working environment for your users.  We use and recommend Fortinet products.  For businesses we recommend the excellent web filter that Fortinet offers on their firewalls.  These can help block access to malicious sites and content that your users may inadvertently try to access.

4. Monitored Antivirus and Malware Protection

Monitored Antivirus – On many occasions we have seen users who either don’t have any antivirus installed, or their installed antivirus is out of date or not functioning at all.  So it’s important that you come up with a strategy for making sure that your antivirus is working and up to date.  At AUIT we install our remote management and monitoring software on all users computers, which is bundled with a high quality antivirus system and gives us visibility and alerts us if any users antivirus stops working or detects a virus.