Auto Complete Passwords: Safe or Dangerous?

a close up of a wall with many different types of words

Auto-complete for passwords is a feature commonly used in browsers today. It is a mechanism that allows usernames and passwords to be automatically entered into a web form. Only around 20% of US internet users have unique passwords for each online account. Many people have to manage dozens of different passwords and see auto-fill as a convenient feature that cuts down on time. However. others use a dedicated application to manage passwords outside of the browser. However, this is much more dangerous than many realize.

A hacker can easily trick the browser or program by placing an invisible form on a compromised web page. 

MARKETERS TRACK TOO

Surprisingly, this is not only done by hackers. Digital marketers often deploy this trick to track what websites users visit. AdThink and OnAudience are both known to do this. Their goal is gathering data for marketing purposes, but IT professionals warn it would not be hard for them to steal passwords as well. 

ONE EASY AND EFFECTIVE WAY TO IMPROVE SECURITY

It is quite simple to disable auto-complete in a browser. Privacy settings in most browsers can be easily accessed and auto-complete disabled within a minute. Below are instructions to accomplish this. 

For Chrome users: Go to the Settings window, go to Advanced, and then disable under Manage Passwords.

For Firefox users: Go to the Options window, click the Privacy tab, then under the History heading, select “Firefox will: Use custom settings for history.” Then in the new window, disable “Remember search and form history.”

For Safari users: Open the Preferences window, select the Auto-fill tab, and turn off all features related to usernames and passwords.

 Unfortunately, this is just one way hackers can get your information. Thus, modern organizations with advanced technology require more managed measures against hackers.  

Contact us today at BluWater Tech for around the clock security assistance

Warning – The Most Effective Social Engineering Attacks

a person holding a cell phone in their hand

Although it may seem as if hackers, criminals, and thieves prefer the challenge of attacking only seemingly impenetrable computer systems, this is not necessarily the case. While it is true that companies do need effective security measures in place to handle these types of impersonal attacks, hackers still frequently turn to more traditional methods of cyber attacks for one good reason.

As IT security methods continue to become more sophisticated, hackers sometimes find it more lucrative (and easier) to perform social engineering attacks that allow them to manipulate human behavior. Unfortunately, this is because staff members are either poorly trained (if at all) to spot hacking attempts or unlike a machine, they sometimes let their guard slip. Of course, hackers understand all too well that a busy or unsuspecting employee may eventually provide them with an opportunity to slip their way into a corporate system — they just need patience.

Top Social Engineering Attacks 

  • Phishing – All it takes is a credible-looking email with either a link or an attachment to click on, and an employee may either give away sensitive information or allow a virus to enter their corporate computer system.
  • Spear Phishing – This is similar to traditional phishing attempts, except that hackers target a specific person in a company. Often the targets are in positions related to lucrative financial aspects of the company.
  • Whaling – Rather than targeting one individual, whaling attempts involve attacking an entire level of higher management. This could be in companies or government agencies. Some of the attacks require a significant amount of research and are quite sophisticated in nature.
  • Vishing – Vishing involves using a phone rather than email in order to impersonate a business. The hackers pretend to be a legitimate company simply making a business call. Their goal is to find unsuspecting employees who will provide them with sensitive corporate information, often banking details.
  • Pretexting – This type of hacking also involves impersonation. A hacker may phone an employee and pretend to be the company’s IT vendor. They may state they are investigating a hacking attempt. Then that they need passwords and other sensitive information for specific computer systems.
  • Baiting – A hacker may leave a memory stick somewhere in or outside of a company they want access to. An unsuspecting employee discovers the memory stick and plugs it into a company computer to determine what it contains. Unfortunately, the memory stick is loaded with a virus or other penetrative software.
  • Tailgating – This is another type of hacking attempt that involves the physical presence of the hacker. In this scenario, a hacker pretends to be a delivery driver, company visitor, or facilities manager in order to gain access to unauthorized areas.

Summary  

It’s difficult, if not impossible, for companies to stay up to date on all the latest technology pitfalls. Many hackers are very sophisticated, methodical, and patient. It takes a professional IT vendor who makes it their business to stay on top of all the latest technology security issues to develop an effective security training program for their clients. If you would like more information on security training for all of your staff members, please contact us.

Top 5 Mobile Device Security Protocols for Organizations

a person sitting at a desk with a cell phone

More and more organizations are allowing their staff to rely on portable smart devices in order to conduct official business. With 24-hour, on-the-spot access to key information and business tools, portable devices offer astounding amounts of flexibility and convenience — enabling employers to access their organization from anywhere. That said, the question must be asked, is enough being done to ensure mobile device security?

In this post, we will outline 5 tips to consider regarding corporate mobile use.

Updating Mobile Device Security Policies 

Whether an organization writes their own security policies or if they outsource their IT services to third-party, corporate leaders need to make sure their written security policies address specific issues regarding mobile use. Not only does this force companies to sit down and seriously consider all the ramifications of mobile data access, but it also lets staff members know that IT security policies are not just “office-only” policies to follow.

Protect What’s Really Important 

By updating corporate security policies, it becomes obvious that what businesses are really protecting is the data that employees might access. No one is going to write up a security policy regarding the potential loss of a mobile device that cost a few hundred dollars. From the top down, everyone needs to clearly understand that following mobile usage policies is about data, not simple device breakage.

Mobile Device Security  

There is security software specifically available for mobile devices. Companies must ensure that any mobile device their employees use, whether company or personally owned, has professional security software installed and updated regularly.

Scrambling the Data

Along with mobile security, there are also mechanisms available that will scramble, or encrypt, phone data such as contact lists, emails, text messages, etc. Companies should check with those handling their IT operations to ensure encryption software is installed on all corporate mobile devices.

Consider Bluetooth Access

Many people don’t spend nearly enough time thinking about what it really means to have Bluetooth-enabled devices. They don’t know that:

  • Most new devices come with Bluetooth enabled
  • Anyone nearby could potentially connect to their mobile device
  • Whether using Bluetooth for personal or business reasons, if it’s on, it’s on.

Bluetooth can be a very useful feature that allows one to take hands-free calls, texts, etc. but it is also very difficult to remember to manually turn it off when not in use. Companies need to seriously consider whether to allow their employees to use Bluetooth at all or at least use security software that addresses Bluetooth use.

If you would like to know more about developing comprehensive security policies regarding employee mobile usage, please contact us.

Develop a Data Loss Prevention Strategy

a row of yellow and green helmets hanging on a red wall

Every business needs to think about the risk of data loss. Even the smallest ones have customer and financial information that has to stay out of the wrong hands. Many have records that could lead to identity theft if they’re stolen. A business needs a plan and a policy for data loss prevention. It has to include these steps:

Perform risk analysis for data loss prevention

Some information is especially sensitive, and managers have to concentrate their efforts on protecting it. A risk analysis will identify the information that most needs protection. It will identify areas that are vulnerable, such as unencrypted databases with weak access control. A prioritized list of assets at risk will provide the basis for a strategy.

Identify data movements

The biggest risks come when data is carelessly moved from one place to another. Weakly protected intermediate storage provides thieves with a prime opportunity. Moving unencrypted data over the Internet leaves it open to interception. If the information isn’t wiped clean after transferring, those intermediate points create a lingering risk. Transfer of sensitive data should always use a secure channel.

Grant access conservatively

Grant access to data only to those who need it. Even if you are completely trustworthy, someone can compromise your account. The less an intruder can do with any given account, the more limited the damage will be. Role-based access tailors privileges to people’s jobs.

Train employees on loss prevention

Most data loss is due, at least in part, to employee error. Creating weak passwords, responding to a phishing scam, and saving insecure copies of data are just some of the mistakes that can lead to serious data breaches. Employees need to develop habits of treating their accounts and the data they handle carefully.

Get expert help

Bluwater Technologies provides managed IT services that will help you keep your data safe. Our experts will help you identify the sources of risk in your network and find the best ways to prevent data loss. Contact us to learn how we can help your business.

Your Employees are the Biggest Threat to Your IT Infrastructure

a woman with long hair standing with her arms crossed

One of the biggest threats to any company’s IT infrastructure, albeit an unintentional threat, is the company’s employees. It isn’t all that uncommon for a company’s employees to end up accidentally helping out criminals or compromising the company’s IT security just by doing what they consider to be completely normal activities.

When employees use their devices to access a company network so they can check their email, download files, etc. then their device may end up getting infected by a virus or malware or get hacked. When this happens, then the company’s data can end up getting compromised in addition to just that employee’s personal data. Of course, there is also the risk that they may lose these devices, and hackers or other criminals will then have access to that employee’s credentials which they can then use to break into your network.

What Can You Do About It?

  • Provide your employees with additional training so that they are capable of identifying potential security risks and acting accordingly.
  • Make sure that you have established a clear and consistent set of policies. They should relate to password management, use of personal devices, data sharing and internet access.
  • If you don’t have a clear reason to allow it, then it may be in your best interests to ban the use of personal devices on your business’s network in order to minimize this risk.
  • Install a wide variety of different security mechanisms, both hardware and software. This ensures that you are easily able to identify when your network is being accessed. Additionally, confirm that the person accessing it is authorized. Therefore, you can identify and address potential security breaches before they become a problem.

IT security is a critical portion of any business. When you let employees access your network, you are trusting them to be responsible with the data they can access. If you are going to give them access to this data, you should make sure they are responsible enough.

For more information about securing your IT infrastructure, contact us today!