2 Factor Authentication

Keeping on the same train of thought as our last blog post about PASSWORD POLICIES; we will be talking today about two-factor authentication (2F / 2Factor), what it is and why it’s important.

The short version explanation of two-factor authentication is the use of a secondary external method of authentication as an added layer of security when accessing sensitive information. Throughout the past decade, the usage and reliance on 2FA has increased dramatically as cyber-attacks are becoming more complex and harder to protect against. Two-Factor authentication is an easy and effective way to essentially double the protection against attackers.

But what exactly is two-factor authentication and how does it work?

Two-factor authentication is when a software/service requires two separate forms of authentication before allowing access to a piece of sensitive information. This can be anything as long as both methods are secure and unable to manipulate/control the other.

For example, when accessing your Office 365 account it would require your password (stored in your Memory / Computer) as well as an authentication code from an app on your phone (stored on Phone).

This means that if an attacker wants to access your account they would require both your phone as well as access to your password. There are lots of different versions of this concept, but they all revolve around the same principle of two isolated forms of authentication. The isolation is important because if one of the authentication methods can control the other then it is the same as having a singular authentication method. Consider the above example;

If the mobile phone also had the users Office 365 password stored on it then the entire system becomes insecure. If that mobile phone is stolen the attacker now has access to the password and the secondary authentication method. This is why it is so important to keep your two-factor authentication methods separate.

But why does it matter?

Well over the past decade or so technology has advanced at an incredible rate. What was once secure is now considered ‘child’s play’ to compromise in the modern age of technology.

Take the example of an 8-character password matching Microsoft’s password requirements;


By today’s standards, it would take 36.99 minutes to crack without password retry timeout policies.
That isn’t very long for a dedicated attacker – but with two-factor authentication, it wouldn’t matter because they don’t have access to the secondary form of authentication.

When should you be using two-factor authentication?

The short answer is anywhere that contains data you want to protect. The negatives of two-factor are that it increases the time taken to login to secured services/areas; so if it’s a service that contains information that you are willing to lose you could choose to not use two-factor. However, given the effectiveness of 2-factors ability to protect your information I’d say the benefits outweigh the negatives and you should use it wherever possible.

In summary, two-factor is the use of two separate authentication methods to protect data access to a secure service/software. It effectively doubles the security of the service being protected by adding an external layer that would need to be compromised if an attacker wanted to steal your data and lastly, you should use two-factor authentication wherever you can that stores information you want to protect.

Password Policy? Yes or No?

Password’s are an essential part of an organisation’s IT infrastructure. They are the first line of defense against attackers and usually the first thing to get compromised during a breach. This is why many organisations take great lengths to protect their passwords as well as the passwords of their users; often through invasive Password Change Policies which tend to do more bad than good.

As of April 2019 Microsoft is actually recommending disabling organisation-wide Password Change policies, not because of the Password Change policy itself but because of the effects it has on users trying to mitigate the hassle of maintaining a password change policy. When a user must change their password every 30/60/90 days they start coming up with strategies to ‘cheat’ the system; such as having the same password with incremental numbers (Password1, Password2, etc) or they start to write down their passwords in public locations (a sticky note attached to the PC). Both of these strategies are quite common and are often less secure than just having a singular strong password.

But what is a strong password? Microsoft constitutes a strong password as having 3 out of 5 of the following and being at least 8 Characters long.

  • Capital Letters
  • Lowercase Letters
  • Numbers
  • Symbols
  • Foreign Characters (こんにちは, Привет, 你好)

Whist we agree in principal, there should be some education around this so users do not come up with some easy passwords that satisfy the requirements; such as Password1. This is a insecure password but meets Microsoft’s requirements for a ‘strong’ password.

A good way to satisfy the password requirement, be secure, and even remember your password is: choose 3 short words that you will remember, then pick a symbol (such as $). You can now use these to make a password combination such as:


or even the reverse is possible:


These passwords are more secure because of the length as well as being more memorable because it’s relating to a something that you chose.
If you can’t think of the words – that’s okay, you can use a free tool to generate some passwords for you and then you can choose the one that you think you would remember best. There are some password tools available online that let you customise how secure you want to password to be.

One of the websites is “A Secure Memorable Password Generator”: https://xkpasswd.net/s/

In summary, Password Change policies aren’t as secure as they seem on the surface – not due to any weakness in the policy itself but rather the effects it has on users that are forced to use the policy.

It is much better to use a singular secure password such as the style of passwords listed above.

A Super Simple (ish) risk management system for businesses

In our travels providing IT Support and various IT Services, we work with lots of different businesses.  Many small businesses start and grow very organically and have little time for pie in the sky ideas like “security policies”.  Usually it takes a mandate from a business partner or external stakeholder to prompt a small business to even start thinking about risk management.

The problem for many is that it’s very daunting to start with nothing, having no experience with any risk management system, and somehow end up with a valuable and solid system.

In our case, we enlisted the help of a security consulting firm.  The result was that we gained the internal knowledge and experience to run our own Information Security Management System (ISMS) and controls, based on the ISO 27000 series standards.

So, to help out our Business IT Support clients, we are going to share a few simple steps and cookie cutter templates that should enable many small businesses the develop and implement some management control of their Information Security and give them a head start into expanding on that.

So here we go:

The foundation of our ISMS Information Security Management System is identifying what data you have to protect, and then identifying the risks to that data and the IT Systems surrounding it.  Bear in mind that “protecting” the data means protecting its:

Confidentiality: Only those that should have access, have access

Integrity: Ensuring that the data is accurate and not accidentally or maliciously altered incorrectly.

Accessibility: Ensuring that the data is accessible to those that require access.

All 4 areas must be addresses to give a complete risk management strategy.

Step 1: Develop an “Information Asset Register”.  This is a basic list of the key information stores of the business.  See the below link for a template which includes some common small business assets.

Step 2: Develop your “Information Asset Register” into “Risk Register”, which is a list of risks that could affect each Asset.

Step 3: Mitigate your risks to a level of risk you are happy to bear by creating security “controls”.

Step 4: Schedule regular time slots where you check and revalidate your asset register, risk register and mitigation controls.

This is entirely a management process but requires deep understanding and consideration of the risks and possibilities, so you need to have a deep technical understanding of your environment.  As such it can be very helpful to enlist the advice of a professional consultant.

See attached a template to help get you started at Information Risk Asset and Control Register


Buy a computer

Buying a Computer for Business

Helpful guide on buying a computer for Business

Why does it seem like every time you buy an appliance – TV, Washing Machine, Fridge or a Computer they seem to fail at the most inconvenient time when they are just outside the warranty period? It’s so frustrating when things fail when you just want them to work.

As with the entire IT industry, computer’s rapidly change. Over the last few years, we have seen things change from spinning disks to SSD’s (Solid State Drives), more CPU power, smaller form factors, higher resolution monitors, all in one PC’s and much more.

The majority of hardware failures we see in devices these days are Hard Drive failures and less commonly power supply failures. Generally, we see a lot more failures and issues from consumer grade machines that are built to compete mostly on price, verse business grade machines that are designed to be robust.

When buying a new Desktop Computer, Workstation, Laptop or Tablet i treat the purchase like I am purchasing a new lounge. Yes, I mean “lounge”, you know that big comfortable thing you sit on after a hard day at work with your beverage of choice. Why a lounge? Well think about it, you might spend a lot of time on your lounge or you might not, but the time you do spend on your lounge you want it to be familiar, comfortable, reliable and recline when it is supposed to, and last a long time. This is exactly what to look for in a computer.

Think about the following:

  1. How long do you want the computer to last for? A good rule of thumb is 3 years, as this coincides with the warranty period for most mainstream manufacturers (for business grade computers) – That said, I am writing this on a 4-year-old laptop that I love and has not missed a beat but yes, I do have backups and I have backup machines I can use if this fails.
  2. What are you going to do with it? I always like to over spec a little, as I want the best bang for buck and to get the most mileage out of all my new devices. I, like many people, really hate when a computer doesn’t respond or is slow, and my stress levels are important to me so I like to have a high performing computer at all time.If you are doing graphic design, then you will need a machine that can handle what you are going to do with it. It is never a good idea to buy a $500 laptop from a retailer and expect it can handle AutoCAD or Photoshop (or anything really) with any reasonable amount of performance.If you only work on cloud-based products like Xero, Office 365 via the portal and web clients, then you might get away with a slightly less high performing computer because the workload of these applications is mostly done by the servers up in the cloud.
  3. Warranty – You may or may not know, but if you buy a business grade computer from a well-known manufacturer you can generally purchase different types of hardware replacement warranty. You can even get 24 hours a day, 7 days a week 2-hour onsite hardware replacement warranty. This essentially means that the manufacturer will send a tech out to your home or business and repair or replace your device within 2 hours. Not a cheap exercise, but various options are available. Most business’ use 3-year next business day onsite warranty which is much more cost effective. Think about your needs and talk to your supplier about what you need.
  4. Features – Do you ever use the Bluetooth on your computer? What about WIFI? Or maybe you need an Ethernet port or a large amount of storage. Think about what you need and try not to pay for features you will not use. Also think about things like weight, battery life, screen size and resolution.
  5. Hard drives: At the time of writing this (September 2018), I would never again purchase a computer or laptop with an old school spinning disk hard drive. It must be Solid state disk all the way. The difference in performance is huge and not an area to cut a small amount of cost.
  6. Laptop Screen resolution: One mistake I have seen a few times is getting suckered in to buying a laptop with a poor-quality screen and low resolution. Windows 10 is simply not going to work well with a screen resolution that is not FHD (1920×1080) unless you have a screen size under 14 inches. However, if you were to by a 15-inch laptop, with only a HD 1366 x768 screen, you will be trapped, and the only option is to drop it off a cliff (as you will feel like doing) and buy something better.

In conclusion, as someone who sees many different types of PC and specs, your order of priority when buys a machine should be:

1. Specification
2. Warranty
3. Looks
4. Feel
5. Smell
6. Taste
7. ……….
8. Price

AUIT helps many of our customers choose the right hardware for their requirements.  We would be more than happy to have a chat to you about your business computing requirements.  If this is of interest to you,  please contact us at https://auit.com.au/contact-us/

Fortinet 30E – Review

Firewall Fortinet FortiGate 30E – Review



In our day to day operations providing IT support to small and medium business in and around Canberra, we often are tasked with installing new networks or upgrading existing networks. As part of this process we come across a lot of different networking equipment such as, Routers, Switches and Firewalls.

More recently, we have rolled out several different Fortinet products including the Fortinet FortiGate 30E Firewall.

The Fortinet FortiGate 30E is a compact unit not much bigger than your typical ADSL/VDSL router, its heavier than it looks and is a relatively plain looking device. It has a USB port, a Console Port, 1x GE WAN port and 4x GE Switch Ports.

The FortiGate 30E is much more than a typical firewall. It has many features and a lot of ability for its sub $1000 price tag. Its features include, IPS (Intrusion Prevention Scanning), NGFW (Next Generation Firewall), Threat Protection, AntiVirus Scanning, Web Filtering, DNS Filtering, Application Control, SSL VPN and even a Web Application Firewall for those wanting to run on premise web services.

The claimed throughput on this device is 950Mbps (Standard Firewall), 300Mbps IPS, 200Mbps NGFW and 150Mbps Threat Protection Throughput. Whilst we have not tested the maximum throughput, we have installed these devices in multiple locations with 100Mbit NBN connections and around 15 – 20 users without any issues.

The interface is very intuitive, and settings can easily be found, I wouldn’t say its super easy to configure for a novice, but with a little know how these devices can be deployed very quickly and very seamless.

Fortinet Dashboard

The visibility into network traffic is amazing once you know where to look. You can look at FortiView which provides information on traffic in and out of LAN/DMZ and traffic from the WAN interface. This gives you a good summary of the bandwidth used by device, by application, the category of the traffic and the risk associated with the traffic. You can also look under Log and Report for real time traffic, what policy is being used, application control and web filter triggered events.

Fortinet Fortiview

With all Business Telephone Systems being switched to VoIP (Voice Over IP) on the NBN in Australia, it is imperative to ensure bandwidth hogs do not affect the quality of telephone calls in your business. One of the excellent features of the FortiGate 30E is the Traffic Shaper. You can assign a high priority to VoIP traffic and a minimum amount of bandwidth to ensure you clients can hear you clearly and concisely.

Business owners might also be thrilled at the ability to schedule firewall policies. For example, if you wanted to lock users out of social media except for during their lunch break, you can do this with ease with Fortinet Schedules.

Overall, we have found this device to be very stable with a high level of protection and performance. We would recommend this product to all small business who require more protection and visibility than a default ADSL / VDSL modem / router built in firewall.

The only downside of FortiGate Firewall 30E is for reporting and any logging of events outside of what is happening right now, you need to purchase the additional FortiAnalyzer. Which does have some cool features, but pushes the price of the solution up. It is well worth it if you are interested in exactly what is happening on your network.

There is an annual subscription for the FortiGate products, but not overly expensive. I can’t say this is the best firewall on the market under the $1000 mark as I have not tested them all. I can say that value for money we are very impressed with the level of protection and performance.

This is not a paid review.

Why we partner with JINGL.com.au

At AUIT we are always on the lookout for great solutions to implement for our customers that give them real world business advantages.  Often we implement the exact same solutions for customers as we use ourselves and so it is the case with the hosted phone system solution (also known as a hosted PABX) provided by JINGL.com.au.

A few years ago we were moving offices, so we started looking around at our phone system options.  Back then the normal thing to do was to ring up Telstra, get them to install some phone lines and hook them up to a phone system in your office and run cabling for your telephones.  So at the time hosted phone systems were fairly new, however once we started looking into it we soon discovered the many benefits.  At the time we took out trial accounts with many of the hosted PABX offerings so we could do a direct shootout.

We discovered that JINGL offered many benefits over the competition and for us this included:

1. A super easy to use interface for managing your phones and your phone bill.  This was REALLY what set JINGL apart when we tested out all the competition.  JINGL’s management interface really is just way ahead of most of the competition.  Within 30 minutes of getting a trial account I was ready to signup as the interface was easy, intuitive and just worked.  In comparison the interface of many of the alternatives was clunky, difficult to understand or just lacking in the required features.  This made JINGL the winner!

2. Flexibility to automatically and manually direct calls.  This is especially important in a 24/7 support scenario to allow us to divert calls to techs who may be out of the office or working from home.

3. Redundancy:  A very important factor for us was redundancy.  If for whatever reason our head office was to be unavailable (fire, flood, theft, power outage etc), then we simply need to run to our backup site and the phones will be working as there is no dependency on a physical phone system at our head office.

4. Features such as autoresponders (press 1 for sales, 2 for support etc).

5. Amazing pricing.  When we compared our phone bill, to what we could expect under JINGL, the JINGL solution was way ahead on price.  This has held true for most of the customers we have helped to move to JINGL.

There are many more really useful features of JINGL, but these were the big ones for us.

So for this reason we now have a partnership with JINGL where we provide professional services to help our customers to move their existing business telephones to the JINGL platform.

If you would like to talk to one of our consultants about your options, please give us a call on (02) 6176 3400

Office 365

Office 365 for Email – Migrations and Downtime

Office 365 for email – Migrations and Downtime.

Some of the questions we get asked all the time when switching clients to Office 365 for email is: ‘How long does it take?’ or ‘Will there be any downtime?’

I thought I would write a post about these two questions specifically, in the hope that it can at least put you the reader at ease when deciding if Office 365 for email is for your business.

‘How long does it take?’

This is not a simple question, but has a simple answer – it depends. The time it takes to perform an Office 365 mail migration depends on a number of factors, factors you should consider when planning to move your mail services.

How many mail boxes? Obviously if you have 5 mailboxes, it will take less time than if you have 50 mailboxes, and 50 mailboxes will take less time than 500 mailboxes and so on and so forth. The more users the more support and admin will be required for the transition.

What type of migration? There are 3 types of standard migrations that can be performed to migrate email to Office 365 email, Cutover Migration, Staged Migration and Hybrid Migration. This is of course assuming you are coming from some type of Exchange based solution whether it is On Premise or Hosted. We also perform what we like to refer to as a custom migration, which is where we might move you from POP, IMAP email from a different source like Gmail or Mac Mail Server etc etc. The type of migration required will affect the required time to perform the migration.

How much data? The amount of data to import into Office 365 email is generally the biggest factor in determining the amount of time required to perform a migration. If there are 10 mailboxes with 2Gb of email, this will be 20Gb of data that has to be uploaded to the Office 365 servers. Now I am not sure if you have ever tried to upload 20Gb of data on a poor ADSL2+ connection but it’s not great fun. Now imagine if you have 100 users with 10+Gb mail boxes.

Internet Speed? If you are importing your existing email into Office 365, and why wouldn’t you. The data has to be uploaded to the Office 365 servers, and depending on the migration type re-downloaded to sync your new mailbox. For example, if you are moving to Office 365 from a hosted IMAP solution like Gmail, then the email generally will be uploaded from those servers which you would assume would have a decent internet connection, but then you have to have Outlook connect to the Office 365 Exchange Servers and download all of your email, calendars and contacts, which depending on your Internet connection speed will vary.

Aftercare support? So you have migrated all of the data, users are connecting with Outlook and everything is going well. Until your phone starts ringing and a user no longer has their email address autocomplete from before the migration, or they are missing Calendar items or maybe they can’t connect their iPhone to Office 365 for email. Allow time to provide support for these types of requests. There will always be things that can get missed, the most common ones are Scan to Email for on premise scanners, signatures, and email address auto complete.

The time it takes is generally not an issue as generally there is no interruption to services while the migration is being performed – if planned correctly. We recently performed a staged migration of a Hosted Exchange 2010 server with over 1000 mailboxes and 3TB of mailbox store, this migration took weeks of planning and preparation and was seamless to the end users with very little impact to the hundreds of tenants hosted in that environment.

‘Will there be any downtime?’

If everything has been done correctly, there will be very little interruption to business email services. The majority of the work is done during the planning, preparation and migration phases, again, if planned and prepared correctly. At most the interruption should be while a mail client is re-configured to connect to Office 365 and the mailbox is synced, during this time if there are any urgent emails that are waiting to be sent or received, keep in mind the user can always use Outlook Web Access or the webmail client.

So if you are thinking of migrating to Office 365 for email, which is an awesome tool for any business ensure you plan thoroughly, stay informed and communicate with your users, this will ensure a smooth migration and everyone will be happy, and of course if you need help or would like someone to do the migration for you get in touch with us here at AUIT and we will certainly be able to help.

Common Scams and some tips on avoiding them.

As a managed service provider we deal with a lot of different businesses and a lot of different users.  As part of our commitment to those businesses and users,  we like to ensure that security (and especially security around I.T systems) is kept at the front of customers minds.

IT Security Investment Scams

One way to do this is to share some stories about security incidents that we have witnessed or been asked to assist with.  So here are a few:


The virus borne internet banking scam.

So one day the manager of a small business we look after called to say that they had a problem with their internet banking and that the bank had called them to alert them to the fact they had a virus.

Of course we rushed to help them.  We were put in contact with the bank and were informed that the customer had put a transaction through to a suspicious account.  On double checking of the details it was found that the suspicious account was not that account that the customer had tried to make a payment too.

On running a scan with their antivirus it was found that they did in fact have a virus.  Now this customer had fully up to date and good quality antivirus at the time they were infected,  however the AV had since run an update which then enabled it to detect what it had previously been unable to.  Meaning that the virus had hit this customer before the Antivirus software makers had been able to detect and update their software.

So the virus had intercepted their payment via internet banking and tried to divert the funds (the payment was for around $20,000!) to another bank account.  Lucky for the customer the bank had noticed suspicious activity on that account and blocked the transaction instantly.

The customer has since implemented a secure CommBiz Netlock system which is a custom and locked down browser along with 2 factor authentication token generator.  This is an excellent service from the commonwealth bank that we highly recommend.  More info at https://www.commbank.com.au/business/online-banking/commbiz/security.html

Using passwords leaked from one website, to blackmail the user.

A customer called us and reported that he had received an email, with his “standard” password in the subject.

The email went on to inform him that his computer had been compromised and that they had used his web camera to record him watching pornographic material and that if he didn’t pay a ransom in bitcoin,  then the video would be distributed to all the contacts in his email.

This customer had actually long since stopped using a standard password for all his only services, however he was obviously alarmed at the fact that the subject of the email was the password that he used to use for many site.

So the question was, is this real and how do they know my password?

We took a look at the email and then had a look at https://www.scamwatch.gov.au/  The twitter feed at https://twitter.com/scamwatch_gov is an amazing resource for information of scams that are currently doing the rounds.

Then we also put the users email into the site https://haveibeenpwned.com/  which is another great tool that I send to my customers just to get them thinking about their password and personal information security.

We discovered that the user had had their password leaks from multiple sites,  however it appeared likely that the culprit was the Linkedin hack of 2012.

Protecting yourself

There are a number of things you can do, over and above security awareness, to help protect your users from scams.  We recommend the following:

1. Two Factor Authentication

Enable 2 factor authentication – (2FA) on every system where it’s supported.  2 factor authentication is “Something you know” and “something you have”.  Combinations usually include a password plus a security code generator, or password and an authentication app on your mobile phone.  This can greatly reduce the impact of someone stealing or guessing your password.  Every day more services are offering 2FA including Office 365, internet banking, paypal, facebook, ebay and many more.  Setting up 2FA is a slightly different process for each service, but usually fairly straight forward.  The service will usually offer some documentation or guides on setting it up.  AUIT offers consulting services where we can assist you to enforce 2FA on your business systems and ensure all your users are covered.

2. SPAM Filtering and Virus Filtering for Email

SPAM Filtering – ensure you have a decent spam filtering system to block virus and spam emails.  We use and recommend the spam filtering services from GoHosting.  https://www.gohosting.com.au/security/spam-filtering/

3. Web Filtering Firewall

A good web filtering firewall.  A good firewall can greatly assist in providing a secure working environment for your users.  We use and recommend Fortinet products.  For businesses we recommend the excellent web filter that Fortinet offers on their firewalls.  These can help block access to malicious sites and content that your users may inadvertently try to access.

4. Monitored Antivirus and Malware Protection

Monitored Antivirus – On many occasions we have seen users who either don’t have any antivirus installed, or their installed antivirus is out of date or not functioning at all.  So it’s important that you come up with a strategy for making sure that your antivirus is working and up to date.  At AUIT we install our remote management and monitoring software on all users computers, which is bundled with a high quality antivirus system and gives us visibility and alerts us if any users antivirus stops working or detects a virus.