To download these slides: https://www.slideshare.net/CITImarketing/5-security-tips-to-protect-your-login-credentials-and-more
We know that account compromises are one of the top 5 threats facing nonprofit organizations, and are perhaps the most impactful. Digital credentials, such as usernames and passwords, connect you and your employees to critical business applications, as well as online services.
Unfortunately, criminals know this — and that’s why digital credentials are among the most valuable assets found on the Dark Web.
In this video we talk about some tools and techniques that can be used to protect your login credentials and digital identity including good password practices, adding Multi Factor Authentication (MFA), and monitoring to alert when a compromised account is found.
Don’t assume your organization won’t be targeted – everyone is a target. Don’t miss these 5 security tips to protect your login!
As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt joined Community IT as an intern in the summer of 2000 and after finishing his dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, he rejoined Community IT as a network administrator in January of 2001. Matt has steadily progressed up at Community IT and while working full time received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He presents updated tips to protect your login credentials throughout the year.
Matt lives in Baltimore MD with his wife, daughter and son. He is a member of the Baltimore Choral Arts Society and on the support committee of the Reservoir Hill House of Peace.
Matthew Eshleman: Welcome to Community IT’s November webinar series. This month we will be talking about how to protect your digital identity.
Thanks for your patience and as we had some issues with getting the webinar started, but we’ll go ahead and continue on with the content today.
Community IT is a 100% employee owned business that focuses on advancing nonprofits’ mission through the effective use of technology. We’ve been recognized by the Channel Futures MSP 501 as one of the top MSPs in the United States and we are the only MSP focused on nonprofit technology, based in DC that is on the list.
My name is Matthew Eshleman and I’m the Chief Technology Officer at Community IT and I’ll be leading today’s session.
If you have any questions you can use the chat feature. I’ll be monitoring that and we’ll be having some surveys along the way, so this is a shorter version of our usual hour format. We’re going to have a concise topic today, so please feel free to chat in some questions as we go along.
Thanks to those that submitted questions in advance. I believe we will either cover them during today’s webinar or I’ll reference some of the previous webinars that we’ve done at Community IT.
So in today’s agenda, we’ll just cover a little bit of the cyber security landscape, particularly focusing on digital identity. We’ll focus on some steps that you can take and then we’ll talk specifically about Dark Web Monitoring. This month’s focus will be on protecting your digital identity and so we’re going to be talking about the tools and techniques that are available to take that. As with all of our webinars, this session will be recorded and put on our YouTube channel and the slides will be available on our slide deck and made available to those who have registered as well. I do encourage you to stick around, there’ll be a special offer for those that are in attendance and have a request here at the end.
(2:28) So just start off a little bit with some overview about the cyber security landscape. This is a great resource, I encourage you to check out: this is Microsoft’s Nonprofit Guidelines for Cybersecurity and Privacy. This was put out by Microsoft philanthropies a little bit earlier in the year. They’re making some investments and inroads into providing some nonprofit specific resources around cybersecurity. Since a lot of the resources that are out there tend to be geared towards big enterprise or business or government. It’s nice to have some resources that are focused in the nonprofit sector.
One of the things that they found through the report here is that their studies demonstrate that nonprofits generally lag for-profit organizations in adopting policies, practices and tools needed to secure their environments, and I would say that’s something that we see at Community IT in supporting about 125 organizations. In that nonprofits have done a great job on cloud adoption, but have been less successful in adopting tools and processes, and compliance.
(3:29) So specifically, they found in their research that
- 60% of organizations don’t know how the organization handles cybersecurity risk, equipment usage and data privacy,
- 74% reported that they did not use multi factor authentication to access agency emails, and other business accounts. So again, some of the foundational pieces in terms of policy and MFA are really limited here in nonprofit organization.
Let’s get off and do a little poll here, see how the audience is doing today? So just go ahead and chat in if you have implemented MFA in your organization, either no or yes for some applications or yes for all applications.
So just take a minute, another few seconds here as folks are chatting in their responses… so looks like overall, the audience here are better than average. So here we’ve got almost the opposite, about 20 couple of percent have not implemented MFA at all, and then the remainder have done either for some or for all, so that’s great and that’s a really important step to take for securing the digital identities at your organization.
Other findings from that report (5:18):
- almost 50%, using wireless or webcams that maybe aren’t secured,
- most people (92%) can access the organization email using personal devices and then
- about 60% of folks were unaware of policies that defined how they were collecting data, about either staff or beneficiaries or donors, among the data that the organization collects.
So again, you’re kind of falling behind, where baselines are for collecting and storing data, securing the information that’s available. And what we know is from the human factor is that in the absence of good policies, people just kind of, do whatever. They take the path of least resistance and specifically as it refers to digital identities.
There’s research out there that says about 76% of people use the same password, if not the same route for most, if not all websites.
That means, the password they use for their Uber account or their Adobe account, or their network login account is going to be the same password that then they’re using to access all kinds of other cloud services and that’s particularly damaging, given the amount and the sheer volume and velocity that we’ve seen in terms of data breaches.
If an account is compromised in one system that password is then used to try to access, many other systems.
(6:46) At Community IT, we think about cyber security readiness through the familiar lens of people, process and technology solutions, with passwords and MFA being people-centric solutions, and that’s what we’re going to talk about today.
We’ve other webinars that we’ve done that talked about policy and security awareness training and also some technology tools as well. If you haven’t had a chance to check it out yet, our webinar from last month was on 10 Free Cybersecurity Tools, and Three Things that are Worth Paying For.
So for those of you that are looking to get started or looking for some resources to deal with free tools for training, there are some good things that are out there.
You can go to our website and check out our resources here.
(7:32) So with all the information out there about digital identity, the fact that people are reusing passwords, most organizations are not implementing or have not implemented MFA for all systems. What can we do to protect that?
Basically there are three things:
- understanding your exposure,
- understanding how staff at your organization are using their digital identity and I would say that’s either in your office 365 account or your G Suite account, that’s the primary organizational ID. I think there’s certainly a staff educational component and that education can be done through, again rooted in policy that just talks about how organizational IT assets are to be used and then finally,
- have a plan. What happens if there are data breaches or data compromises? How is the organization going to react?
So fundamentally, we’re talking about how we can protect an organization’s digital identity and for many folks, and I would say Community IT included, I’ve been a big fan of the resource (8:44) Have I Been Pwned, you can check it out. I’ll go ahead and check out the link, it’s just haveibeenpwned.com and if you put in your email address there, it will generate a report that lists all of the data breaches that have been involved with your password in it. That’s always a good exercise to figure out how many places your account has been pwned.
It’s a free resource that a guy Troy Hunt, maintains. It’s a great resource. And it’s good to build that educational piece just to see the sheer amount of data that’s out there about you, your digital assets, your domain.
Breaches this week: Disney Plus launched and already there’s accounts available for Disney Plus that are available on the Dark Web. So you could decide to pay the 12.99 a month or however much it is for the subscription or you could go on the Dark Web and buy an account for three dollars and come out ahead.
Also, there were about maybe about 20 million accounts from GitHub, that’s a cryptocurrency platform that were released along with about 800,000 from a group called EpicBot. I think they do online marketplace type stuff. Every week is the steady drone of what accounts are, or what organizations have been compromised. Which passwords have been released, how many are already in the database out there.
And we certainly see it on the IT side, just the amount of brute-force login attacks that are targeted against the G Suite accounts of the Office 365 accounts that staff have. So with all this information floating out there, finding ways to identify and protect and defend against these attacks becomes even more complicated.
(10:57) So one of the things that we’ve started to do is to add in a service called Dark Web ID. This is a threat monitoring tool that monitors exposing compromised credentials that are on the Dark Web. Certainly some of that stuff is available through that free Have I Been Pwned site, but this is the tool that we’ve started using that can do some scanning and provide information not only on which accounts have been compromised, but also the passwords that are associated with those accounts in some cases and if there’s any PII associated with an account.
It’s been a helpful resource to kind of dive in and provide some insight, analytics of what’s going on in the organization, which user accounts are already out there and what changes we need to make as a result of knowing what public disclosure is out there.
They spend all of their time combing through these various Dark Web resources to build up the database of known compromises and then provide that as a reporting resource as well. The other thing that’s been helpful is that you can monitor corporate information and then you can also monitor (after approval) you can monitor personal email addresses as well, so for example, Community IT, monitoring our corporate email, but then also monitoring personal emails associated with staff in the organization. So I have my personal Gmail account monitored, so that I can get alerted if that information is out there in a way that I wasn’t aware of before.
(12:37) So let’s take a look at what the actual report is because I think this is really helpful to see, so what I’m going to show you is actually a report that I pulled today. This is for a domain that we used to use citidc.com and so it’s not something we are actively using anymore in Community IT, but it’s something that obviously has a lot of information on it and we’ll take a look and see what’s available on the Dark Web for that account.
So you can see we’ve got about 88 exposed credentials that are already exposed and so that information is out there and available. So if you’re a bad guy, you’ve got a big data set to work with already and so that information is out there and it’s probably part of some kind of resell databases that are on the Dark Web, trying to do some penetration testing and hacking on known username and password combinations.
So whenever we take a look at it, we can see that these are the most recent ADA compromises. There’s a couple pages beyond this, but I’m just going to highlight here. So on the page, you can see the date found so even though we haven’t used this, this isn’t a primary domain for us, as systems are compromised, new data is being incorporated and added to the database.
So again, we can see just last month, we’ve got a couple of accounts that were associated with the Share This data breach, and not available in this report, but the full version will show you the specific PII hit. Often those are dates of birth, could be addresses, full names, that kind of thing. In some cases, there are Social Security Number or driver’s license that are associated with the PII data as well.
(14:55) I’ve masked the emails, but the passwords are also to some extent masked, although you could perhaps guess what this password might be. Anything that starts as “comm” for a company Community IT. That might be an example of – we need to do some education and training around how to create good and strong passwords.
And so unfortunately, this is a pretty visible and immediate reminder that how the way you choose a password is important. Using common words or things associated with your domain name may not be the most effective. You can see from this report you’re going to see the name of the breach, the email address that’s associated with it, if there is a password hit, in some cases, the password might be in plain text like this one. In other cases it may be encrypted and that’s good.
Not every password breach is going to result in the public disclosure of an unencrypted account. Sometimes, there are breaches, but the passwords have been encrypted and so that’s great and that gives you a little bit more information to go on. It’ll also give you some information about the source. All these are just ID theft forums. There could be the disclosure type, whether it was a known data breach was not disclosed, like they just kind of stumbled across this and then there’s the origin.
So again, it could, you can see in this case, these are from Share This down here. This batch was not disclosed. Here’s to discuss and bitly and so you can go through and you’ll get information about the data breaches that they were associated with.
If we would continue in this, Linkedin is a big source of a lot of accounts that are compromised and then the passwords are in plain text as well.
So this report, I think, is really helpful to provide some education information and can be used as a teaching tool to coordinate and work with staff just in terms of having good hygiene around their IT practices.
(17:17) So what are those specific things that it’s worth doing? So I have taken this and use this as an opportunity to have a teaching moment. It’s good to have separate business and personal accounts. Obviously, if you’re signing up for online services for work, it’s appropriate to use your work account. But, maybe if you’re signing up for a fitness App tracker or something else, maybe that’s something that would be good to use a personal account for so that if there is a compromise, it doesn’t connect back.
I think it’s also highlight to use strong, and more importantly, strong and unique passwords for each account. I saw a lot of the comments, folks were asking about these password managers, I think they’re great and I strongly encourage the use of password managers, so that you can generate a strong and unknowable and unrememberable password for each site, and then focus on having a strong password that you can remember to get into your password manager, protect that with multi factor authentication, and then allow the system to copy and paste into each application that you’re using.
Using a strong, unique password for each account, even better if you can implement single sign on for business accounts in particular. So you can go from having one system copy and pasting passwords into a field to using a single sign on directory. So technically, it’s a little bit different. The end user effect may be the same, but now instead of having 10 or 15 different passwords to store in a database, the single sign on solution will essentially authenticate you against that single directory and allow you access to an application that you are approved for. So if you’re managing IT in an organization, it makes on boarding and off boarding a lot easier, because you can just disable an account in one place and it disables their access to all the associated applications, as opposed to needing to remember to go in and kind of turn off access to that account in all the various systems that they have.
Protecting accounts with MFA: this is my mantra that I’ve been repeating over the past couple years, and we’re thinking about some creative ways to put some visualization around this for next year. We’re certainly making progress and getting organizations to adopt MFA. But again, MFA is a key way to protect that, so even if you do have a password that you’re actively using that shows up in this list, even if you are using this password, if you have multifactor, on that account, you get an extra layer of protection. So the bad guy will need not only your username and password, but then also the device that you have.
(20:17) And then finally, I think with some of the advent of these new tools like this Dark Web Monitor, it’s been a great additional resource to just provide some additional insight and reporting and alerting for whenever a new account compromise is identified. So with that, I do think it’s a great tool. I’m excited about using it.
So if you email cybersecurity@communityit with the subject of the Dark Web Scan, I will reply to you with a PDF report for your organization email, so you will get the report. It’ll include all the masked password information, so you can just do some education about the exposure that you have at your organization. Again, it’s a great resource because it’ll pull all the information for all the emails that are associated with your domain. The free scanwill include all of that information.
So again, go ahead, send me an email, you can email it to cybersecurity@communityit with the subject of Dark Web Scan, and I’ll reply with a complementary point in time scan for you to review.
So I have a limited number that I can do, so go ahead and get that in.
I’m happy to take any additional questions as they come up here. I know we’re about at time. So again, just to maybe confirm some of the acronyms I was using: MFA stands for Multi-factor authentication. That means that in addition to having your password, which is something you know, in order to complete a multi-factor authentication request, also there’s a physical aspect to it as well, so something you have.
I’ve been noticing MFA being implemented a lot more with various web services. When I log into my bank, it wants to text me a code, so I have to use my password, which is something I know and then it texts me a code to my phone, which is something I have, so that kind of counts as the second factor.
(22:39) There’s another question here about, strong passwords, what does that mean? Passwords versus passphrases. Yes, I think those are–I think good things to talk through, there’s a lot of discussion around, in this area, and I would say you should have something that’s at least 12 characters. Longer is better whenever choosing passwords or passphrases.
I mean, honestly, since I’ve been using a password generator, I don’t think about it too much anymore. I just use it to whatever the maximum the site will allow and just copy and paste and forget about it. I think the most important thing is actually the multi-factor because we’ve seen, data breaches are going to happen. They’re going to happen with some regularity and it doesn’t matter how long your password is, if somebody steals it, they’re just going to copy and paste it and so that’s why multifactor becomes the real security tool where you can require that second factor. I think we’re going to get into more like device trust, so you know, allowing only approved devices to access certain applications or certain systems.
- passwords are good,
- longer is better,
- use the password generator,
- use multi-factor. And that’s the real benefit
If it’s 12 characters versus 16 characters versus 24 versus, you know, 50, and what I see, that doesn’t make that much of a difference. I think there are some brute-force attacks that are going on, but I think in most cases, passwords are being stolen or swindled out of people, as opposed to a machine kind of sitting there and doing brute-force attacks against the system. So I think those are good questions, though, really highlight the need for, you know, unique passwords or, you know, passphrases for each system, just use a password manager, you don’t really have to worry about it, and then making sure that MFA is enabled.
All right, well, I’m getting some feedback that the audio is not working, so let me just check in. And I will go ahead and just wrap up here. I know we started late, I’ll wrap up a few minutes late.
We are taking some time off in December and so we will be coming back in January where I’ll be joined by my colleagues our CEO, Johan Hammerstrom, our Chief Operating Officer, Johanny Torrico, and our Director of Infrastructure Consulting, Steve Longenecker and we’ll be talking about our nonprofit technology trends for 2020. So I’m looking forward to that. It’s gonna be a good discussion. So we’ll talk about some of the things that we’re seeing at Community IT in the nonprofit technology space and, for the sector.
So, thanks everybody for your time and the flexibility. I appreciate it. If you have any questions, comments or feedback, please feel free to put them in the survey that will follow the webinar. As I mentioned, you also get a copy of this as a recording and the slides as well. So, thank you for your time and your feedback, and I’ll look forward to talking with you in January. Have a great day.