fbpx

Category Small Business I.T Support

Password Policy? Yes or No?

Password’s are an essential part of an organisation’s IT infrastructure. They are the first line of defense against attackers and usually the first thing to get compromised during a breach. This is why many organisations take great lengths to protect their passwords as well as the passwords of their users; often through invasive Password Change Policies which tend to do more bad than good.

As of April 2019 Microsoft is actually recommending disabling organisation-wide Password Change policies, not because of the Password Change policy itself but because of the effects it has on users trying to mitigate the hassle of maintaining a password change policy. When a user must change their password every 30/60/90 days they start coming up with strategies to ‘cheat’ the system; such as having the same password with incremental numbers (Password1, Password2, etc) or they start to write down their passwords in public locations (a sticky note attached to the PC). Both of these strategies are quite common and are often less secure than just having a singular strong password.

But what is a strong password? Microsoft constitutes a strong password as having 3 out of 5 of the following and being at least 8 Characters long.

  • Capital Letters
  • Lowercase Letters
  • Numbers
  • Symbols
  • Foreign Characters (こんにちは, Привет, 你好)

Whist we agree in principal, there should be some education around this so users do not come up with some easy passwords that satisfy the requirements; such as Password1. This is a insecure password but meets Microsoft’s requirements for a ‘strong’ password.

A good way to satisfy the password requirement, be secure, and even remember your password is: choose 3 short words that you will remember, then pick a symbol (such as $). You can now use these to make a password combination such as:

#IT#support#CANBERRA

or even the reverse is possible:

#it#SUPPORT#canberra

These passwords are more secure because of the length as well as being more memorable because it’s relating to a something that you chose.
If you can’t think of the words – that’s okay, you can use a free tool to generate some passwords for you and then you can choose the one that you think you would remember best. There are some password tools available online that let you customise how secure you want to password to be.

One of the websites is “A Secure Memorable Password Generator”: https://xkpasswd.net/s/

In summary, Password Change policies aren’t as secure as they seem on the surface – not due to any weakness in the policy itself but rather the effects it has on users that are forced to use the policy.

It is much better to use a singular secure password such as the style of passwords listed above.

A Super Simple (ish) risk management system for businesses

In our travels providing IT Support and various IT Services, we work with lots of different businesses.  Many small businesses start and grow very organically and have little time for pie in the sky ideas like “security policies”.  Usually it takes a mandate from a business partner or external stakeholder to prompt a small business to even start thinking about risk management.

The problem for many is that it’s very daunting to start with nothing, having no experience with any risk management system, and somehow end up with a valuable and solid system.

In our case, we enlisted the help of a security consulting firm.  The result was that we gained the internal knowledge and experience to run our own Information Security Management System (ISMS) and controls, based on the ISO 27000 series standards.

So, to help out our Business IT Support clients, we are going to share a few simple steps and cookie cutter templates that should enable many small businesses the develop and implement some management control of their Information Security and give them a head start into expanding on that.

So here we go:

The foundation of our ISMS Information Security Management System is identifying what data you have to protect, and then identifying the risks to that data and the IT Systems surrounding it.  Bear in mind that “protecting” the data means protecting its:

Confidentiality: Only those that should have access, have access

Integrity: Ensuring that the data is accurate and not accidentally or maliciously altered incorrectly.

Accessibility: Ensuring that the data is accessible to those that require access.

All 4 areas must be addresses to give a complete risk management strategy.

Step 1: Develop an “Information Asset Register”.  This is a basic list of the key information stores of the business.  See the below link for a template which includes some common small business assets.

Step 2: Develop your “Information Asset Register” into “Risk Register”, which is a list of risks that could affect each Asset.

Step 3: Mitigate your risks to a level of risk you are happy to bear by creating security “controls”.

Step 4: Schedule regular time slots where you check and revalidate your asset register, risk register and mitigation controls.

This is entirely a management process but requires deep understanding and consideration of the risks and possibilities, so you need to have a deep technical understanding of your environment.  As such it can be very helpful to enlist the advice of a professional consultant.

See attached a template to help get you started at Information Risk Asset and Control Register

 

Buy a computer

Buying a Computer for Business

Helpful guide on buying a computer for Business

Why does it seem like every time you buy an appliance – TV, Washing Machine, Fridge or a Computer they seem to fail at the most inconvenient time when they are just outside the warranty period? It’s so frustrating when things fail when you just want them to work.

As with the entire IT industry, computer’s rapidly change. Over the last few years, we have seen things change from spinning disks to SSD’s (Solid State Drives), more CPU power, smaller form factors, higher resolution monitors, all in one PC’s and much more.

The majority of hardware failures we see in devices these days are Hard Drive failures and less commonly power supply failures. Generally, we see a lot more failures and issues from consumer grade machines that are built to compete mostly on price, verse business grade machines that are designed to be robust.

When buying a new Desktop Computer, Workstation, Laptop or Tablet i treat the purchase like I am purchasing a new lounge. Yes, I mean “lounge”, you know that big comfortable thing you sit on after a hard day at work with your beverage of choice. Why a lounge? Well think about it, you might spend a lot of time on your lounge or you might not, but the time you do spend on your lounge you want it to be familiar, comfortable, reliable and recline when it is supposed to, and last a long time. This is exactly what to look for in a computer.

Think about the following:

  1. How long do you want the computer to last for? A good rule of thumb is 3 years, as this coincides with the warranty period for most mainstream manufacturers (for business grade computers) – That said, I am writing this on a 4-year-old laptop that I love and has not missed a beat but yes, I do have backups and I have backup machines I can use if this fails.
  2. What are you going to do with it? I always like to over spec a little, as I want the best bang for buck and to get the most mileage out of all my new devices. I, like many people, really hate when a computer doesn’t respond or is slow, and my stress levels are important to me so I like to have a high performing computer at all time.If you are doing graphic design, then you will need a machine that can handle what you are going to do with it. It is never a good idea to buy a $500 laptop from a retailer and expect it can handle AutoCAD or Photoshop (or anything really) with any reasonable amount of performance.If you only work on cloud-based products like Xero, Office 365 via the portal and web clients, then you might get away with a slightly less high performing computer because the workload of these applications is mostly done by the servers up in the cloud.
  3. Warranty – You may or may not know, but if you buy a business grade computer from a well-known manufacturer you can generally purchase different types of hardware replacement warranty. You can even get 24 hours a day, 7 days a week 2-hour onsite hardware replacement warranty. This essentially means that the manufacturer will send a tech out to your home or business and repair or replace your device within 2 hours. Not a cheap exercise, but various options are available. Most business’ use 3-year next business day onsite warranty which is much more cost effective. Think about your needs and talk to your supplier about what you need.
  4. Features – Do you ever use the Bluetooth on your computer? What about WIFI? Or maybe you need an Ethernet port or a large amount of storage. Think about what you need and try not to pay for features you will not use. Also think about things like weight, battery life, screen size and resolution.
  5. Hard drives: At the time of writing this (September 2018), I would never again purchase a computer or laptop with an old school spinning disk hard drive. It must be Solid state disk all the way. The difference in performance is huge and not an area to cut a small amount of cost.
  6. Laptop Screen resolution: One mistake I have seen a few times is getting suckered in to buying a laptop with a poor-quality screen and low resolution. Windows 10 is simply not going to work well with a screen resolution that is not FHD (1920×1080) unless you have a screen size under 14 inches. However, if you were to by a 15-inch laptop, with only a HD 1366 x768 screen, you will be trapped, and the only option is to drop it off a cliff (as you will feel like doing) and buy something better.

In conclusion, as someone who sees many different types of PC and specs, your order of priority when buys a machine should be:

1. Specification
2. Warranty
3. Looks
4. Feel
5. Smell
6. Taste
7. ……….
8. Price

AUIT helps many of our customers choose the right hardware for their requirements.  We would be more than happy to have a chat to you about your business computing requirements.  If this is of interest to you,  please contact us at https://auit.com.au/contact-us/

Fortinet 30E – Review

Firewall Fortinet FortiGate 30E – Review

Fortinet

 

In our day to day operations providing IT support to small and medium business in and around Canberra, we often are tasked with installing new networks or upgrading existing networks. As part of this process we come across a lot of different networking equipment such as, Routers, Switches and Firewalls.

More recently, we have rolled out several different Fortinet products including the Fortinet FortiGate 30E Firewall.

The Fortinet FortiGate 30E is a compact unit not much bigger than your typical ADSL/VDSL router, its heavier than it looks and is a relatively plain looking device. It has a USB port, a Console Port, 1x GE WAN port and 4x GE Switch Ports.

The FortiGate 30E is much more than a typical firewall. It has many features and a lot of ability for its sub $1000 price tag. Its features include, IPS (Intrusion Prevention Scanning), NGFW (Next Generation Firewall), Threat Protection, AntiVirus Scanning, Web Filtering, DNS Filtering, Application Control, SSL VPN and even a Web Application Firewall for those wanting to run on premise web services.

The claimed throughput on this device is 950Mbps (Standard Firewall), 300Mbps IPS, 200Mbps NGFW and 150Mbps Threat Protection Throughput. Whilst we have not tested the maximum throughput, we have installed these devices in multiple locations with 100Mbit NBN connections and around 15 – 20 users without any issues.

The interface is very intuitive, and settings can easily be found, I wouldn’t say its super easy to configure for a novice, but with a little know how these devices can be deployed very quickly and very seamless.

Fortinet Dashboard

The visibility into network traffic is amazing once you know where to look. You can look at FortiView which provides information on traffic in and out of LAN/DMZ and traffic from the WAN interface. This gives you a good summary of the bandwidth used by device, by application, the category of the traffic and the risk associated with the traffic. You can also look under Log and Report for real time traffic, what policy is being used, application control and web filter triggered events.

Fortinet Fortiview

With all Business Telephone Systems being switched to VoIP (Voice Over IP) on the NBN in Australia, it is imperative to ensure bandwidth hogs do not affect the quality of telephone calls in your business. One of the excellent features of the FortiGate 30E is the Traffic Shaper. You can assign a high priority to VoIP traffic and a minimum amount of bandwidth to ensure you clients can hear you clearly and concisely.

Business owners might also be thrilled at the ability to schedule firewall policies. For example, if you wanted to lock users out of social media except for during their lunch break, you can do this with ease with Fortinet Schedules.

Overall, we have found this device to be very stable with a high level of protection and performance. We would recommend this product to all small business who require more protection and visibility than a default ADSL / VDSL modem / router built in firewall.

The only downside of FortiGate Firewall 30E is for reporting and any logging of events outside of what is happening right now, you need to purchase the additional FortiAnalyzer. Which does have some cool features, but pushes the price of the solution up. It is well worth it if you are interested in exactly what is happening on your network.

There is an annual subscription for the FortiGate products, but not overly expensive. I can’t say this is the best firewall on the market under the $1000 mark as I have not tested them all. I can say that value for money we are very impressed with the level of protection and performance.

This is not a paid review.

Why we partner with JINGL.com.au

At AUIT we are always on the lookout for great solutions to implement for our customers that give them real world business advantages.  Often we implement the exact same solutions for customers as we use ourselves and so it is the case with the hosted phone system solution (also known as a hosted PABX) provided by JINGL.com.au.

A few years ago we were moving offices, so we started looking around at our phone system options.  Back then the normal thing to do was to ring up Telstra, get them to install some phone lines and hook them up to a phone system in your office and run cabling for your telephones.  So at the time hosted phone systems were fairly new, however once we started looking into it we soon discovered the many benefits.  At the time we took out trial accounts with many of the hosted PABX offerings so we could do a direct shootout.

We discovered that JINGL offered many benefits over the competition and for us this included:

1. A super easy to use interface for managing your phones and your phone bill.  This was REALLY what set JINGL apart when we tested out all the competition.  JINGL’s management interface really is just way ahead of most of the competition.  Within 30 minutes of getting a trial account I was ready to signup as the interface was easy, intuitive and just worked.  In comparison the interface of many of the alternatives was clunky, difficult to understand or just lacking in the required features.  This made JINGL the winner!

2. Flexibility to automatically and manually direct calls.  This is especially important in a 24/7 support scenario to allow us to divert calls to techs who may be out of the office or working from home.

3. Redundancy:  A very important factor for us was redundancy.  If for whatever reason our head office was to be unavailable (fire, flood, theft, power outage etc), then we simply need to run to our backup site and the phones will be working as there is no dependency on a physical phone system at our head office.

4. Features such as autoresponders (press 1 for sales, 2 for support etc).

5. Amazing pricing.  When we compared our phone bill, to what we could expect under JINGL, the JINGL solution was way ahead on price.  This has held true for most of the customers we have helped to move to JINGL.

There are many more really useful features of JINGL, but these were the big ones for us.

So for this reason we now have a partnership with JINGL where we provide professional services to help our customers to move their existing business telephones to the JINGL platform.

If you would like to talk to one of our consultants about your options, please give us a call on (02) 6176 3400

Common Scams and some tips on avoiding them.

As a managed service provider we deal with a lot of different businesses and a lot of different users.  As part of our commitment to those businesses and users,  we like to ensure that security (and especially security around I.T systems) is kept at the front of customers minds.

IT Security Investment Scams

One way to do this is to share some stories about security incidents that we have witnessed or been asked to assist with.  So here are a few:

————————————————————————————————————

The virus borne internet banking scam.

So one day the manager of a small business we look after called to say that they had a problem with their internet banking and that the bank had called them to alert them to the fact they had a virus.

Of course we rushed to help them.  We were put in contact with the bank and were informed that the customer had put a transaction through to a suspicious account.  On double checking of the details it was found that the suspicious account was not that account that the customer had tried to make a payment too.

On running a scan with their antivirus it was found that they did in fact have a virus.  Now this customer had fully up to date and good quality antivirus at the time they were infected,  however the AV had since run an update which then enabled it to detect what it had previously been unable to.  Meaning that the virus had hit this customer before the Antivirus software makers had been able to detect and update their software.

So the virus had intercepted their payment via internet banking and tried to divert the funds (the payment was for around $20,000!) to another bank account.  Lucky for the customer the bank had noticed suspicious activity on that account and blocked the transaction instantly.

The customer has since implemented a secure CommBiz Netlock system which is a custom and locked down browser along with 2 factor authentication token generator.  This is an excellent service from the commonwealth bank that we highly recommend.  More info at https://www.commbank.com.au/business/online-banking/commbiz/security.html

Using passwords leaked from one website, to blackmail the user.

A customer called us and reported that he had received an email, with his “standard” password in the subject.

The email went on to inform him that his computer had been compromised and that they had used his web camera to record him watching pornographic material and that if he didn’t pay a ransom in bitcoin,  then the video would be distributed to all the contacts in his email.

This customer had actually long since stopped using a standard password for all his only services, however he was obviously alarmed at the fact that the subject of the email was the password that he used to use for many site.

So the question was, is this real and how do they know my password?

We took a look at the email and then had a look at https://www.scamwatch.gov.au/  The twitter feed at https://twitter.com/scamwatch_gov is an amazing resource for information of scams that are currently doing the rounds.

Then we also put the users email into the site https://haveibeenpwned.com/  which is another great tool that I send to my customers just to get them thinking about their password and personal information security.

We discovered that the user had had their password leaks from multiple sites,  however it appeared likely that the culprit was the Linkedin hack of 2012.

Protecting yourself

There are a number of things you can do, over and above security awareness, to help protect your users from scams.  We recommend the following:

1. Two Factor Authentication

Enable 2 factor authentication – (2FA) on every system where it’s supported.  2 factor authentication is “Something you know” and “something you have”.  Combinations usually include a password plus a security code generator, or password and an authentication app on your mobile phone.  This can greatly reduce the impact of someone stealing or guessing your password.  Every day more services are offering 2FA including Office 365, internet banking, paypal, facebook, ebay and many more.  Setting up 2FA is a slightly different process for each service, but usually fairly straight forward.  The service will usually offer some documentation or guides on setting it up.  AUIT offers consulting services where we can assist you to enforce 2FA on your business systems and ensure all your users are covered.

2. SPAM Filtering and Virus Filtering for Email

SPAM Filtering – ensure you have a decent spam filtering system to block virus and spam emails.  We use and recommend the spam filtering services from GoHosting.  https://www.gohosting.com.au/security/spam-filtering/

3. Web Filtering Firewall

A good web filtering firewall.  A good firewall can greatly assist in providing a secure working environment for your users.  We use and recommend Fortinet products.  For businesses we recommend the excellent web filter that Fortinet offers on their firewalls.  These can help block access to malicious sites and content that your users may inadvertently try to access.

4. Monitored Antivirus and Malware Protection

Monitored Antivirus – On many occasions we have seen users who either don’t have any antivirus installed, or their installed antivirus is out of date or not functioning at all.  So it’s important that you come up with a strategy for making sure that your antivirus is working and up to date.  At AUIT we install our remote management and monitoring software on all users computers, which is bundled with a high quality antivirus system and gives us visibility and alerts us if any users antivirus stops working or detects a virus.